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The software described in this book is furnished under a license agreement and 
may be used only in accordance with the terms of the agreement. 

Copyright notice 

Copyright © 1998-2002 Symantec Corporation. 
All Rights Reserved. 

Any technical documentation that is made available by Symantec Corporation is 
the copyrighted work of Symantec Corporation and is owned by Symantec 
Corporation. 

Portions copyright (c) eHelp Corporation. All rights reserved. 

No warranty 

The technical documentation is being delivered to you AS-IS and Symantec 
Corporation makes no warranty as to its accuracy or use. Any use of the technical 
documentation or the information contained therein is at the risk of the user. 
Documentation may include technical or other inaccuracies or typographical 
errors. Symantec reserves the right to make changes without prior notice. 

No part of this publication may be copied without the express written permission 
of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014. 

Trademarks 

VelociRaptor, Symantec Raptor Management Console, Symantec Gateway 
Security, Symantec Security Response Team, Symantec LiveUpdate, Symantec 
Norton Antivirus Extension (NAVEX) and Bloodhound are registered 
trademarks of Symantec Corporation. 

Microsoft, MS-DOS, Windows, and Windows NT are registered trademarks of 
Microsoft Corporation. IBM, OS/2, and OS/2 Warp are registered trademarks of 
International Business Machines Corporation. Novell and NetWare are registered 
trademarks of Novell Corporation. 3Com and EtherLink are registered 
trademarks of 3Com Corporation. Compaq is a registered trademark of Compaq 
Corporation. Zip and Jaz are registered trademarks of Iomega Corporation. 
SuperDisk is a trademark of Imation Enterprises Corporation, Rainwall is a 
registered trademark of Rainfinity Corporation. This product includes software 
developed by the Apache Software Foundation. RealAudio is the registered 
trademark of RealNetworks, Inc., Adobe Acrobat Reader is the registered 
trademark of Adobe, Realtime Blackhole List and Dial-up UserList are registered 
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trademarks of Mail Abuse Prevention Systems, L.L.C. FireProof is a registered 
trademarks of Radware. 

Other product names mentioned in this manual may be trademarks or registered 
trademarks of their respective companies and are hereby acknowledged. 

Technical support 

As part of Symantec Security Response, our global technical support group 
maintains support centers throughout the world. Our primary role is to respond 
to specific questions on product feature/function, installation, and configuration, 
as well as to author content for our Web-accessible Knowledge Base. We work 
collaboratively with the other functional areas within Symantec to answer your 
questions in a timely fashion, such as working with Product Engineering as well 
as our Security Research Centers to provide Alerting Services and Virus 
Definition Updates for virus outbreaks and security alerts. 

Highlights of our support offerings include: 

■ A range of support options giving you the flexibility to select the right 
amount of service for any size organization 

■ Telephone and Web support components providing rapid response and up- 
to-the-minute information 

■ Upgrade insurance delivering automatic software upgrade protection 

■ Content updates for virus definitions and security signatures ensuring the 
highest level of protection 

■ Global support from Symantec Security Response experts available 24x7 
world wide in a variety of languages 

■ Advanced features such as the Symantec Alerting Service and Technical 
Account Manager role offering enhanced response and proactive security 
support 

Please reference our website for current information on support programs. The 
specific features available may vary based on the level of support purchased and 
the specific product you are using. 

Registration and licensing 

If the product you are implementing requires registration and/or a license key, 
the fastest and easiest way to register your service is to access our licensing and 
registration site at www.symantec.com/certificate. Alternatively, you may go to 
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www.symantec.com/techsupp/ent/enterprise.html, select the product you wish to 
register and, from the Product Home Page select the Licensing and Registration 
link. 

Contacting support 

Customers with a current support agreement may contact the Technical Support 
team via phone or Web at www.symantec.com/techsupp. 

When contacting support, please be sure to have the following information 
available: 

■ Product release level 

■ Hardware information 

Available memory, disk space, NIC information 

■ Operating System 
Version and patch level 

■ Network topology 

Router, gateway and IP address information 

■ Problem description 

error messages/log files 

troubleshooting performed prior to contacting Symantec 
recent software configuration changes and/or network changes 

Customer service 

Contact Enterprise Customer Service online atwww.symantec.com, select the 
appropriate Global Site for your country, then click Service and Support. 
Customer Service assists with the following types of issues: 

■ Questions regarding product licensing or serialization 

■ Update product registration with address or name changes 

■ General product information (for example, features, language availability, 
dealers in your area) 

■ Latest information on product updates and upgrades 

■ Information on upgrade insurance and maintenance contracts 

■ Information on Symantec Value License Program 



Advise on Symantec's technical support options 

Non-technical presales questions 

Missing or defective CD-ROMs or manuals 
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Chapter 



Product Overview 



The Symantec VelociRaptor is an integrated hardware and software firewall/VPN 
appliance that employs full-inspection technology to provide a fast and secure 
connection to the Internet, delivering enterprise-class network security. The 
single-rack unit high (1RU), plug-and-protect appliance ensures complete 
control of information entering and leaving the network with data inspection 
technology that filters traffic and integrates application level proxies, network 
circuit analysis, and packet filtering into the gateway security architecture. To bar 
access to private networks and confidential information, Symantec VelociRaptor 
applies full-inspection scanning techniques that ensure that data is validated at all 
levels of the protocol stack, including application proxies. 

Through the Symantec Raptor Management Console (SRMC), administrators 
can flexibly configure scalable gateway protection for networks of any size. The 
console allows administrators to remotely and securely control and monitor 
distributed appliances, firewalls, and VPN servers and create configurable policies 
for users and user groups. In addition to its simplified policy management, 
Symantec VelociRaptor makes installation and configuration quick and easy with 
a pre-installed Symantec Enterprise Firewall and Symantec Enterprise VPN, pre- 
configured and hardened operating system software, and an array of setup 
wizards. To provide high availability and to share traffic loads among multiple 
security devices, Symantec VelociRaptor includes optional high availability load 
balancing features. 

With its integrated, standards-based Symantec Enterprise VPN, the Symantec 
VelociRaptor provides secure site-to-site remote access to extend enterprise 
networks. Support for home office and telecommuter access is available with the 
optional Full VPN Upgrade. 

Symantec VelociRaptor is a member of Symantec's growing line of security 
appliances and its integrated Symantec Enterprise Firewall meets the most 
stringent industry interoperability and ICSA Labs Cryptography Product 
Certification requirements. 
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Product Overview 



Key Features 

■ Delivers multi- function firewall/VPN security capabilities in a fully 
integrated, rack-mountable appliance 

■ Provides enterprise-class gateway security with full-inspection application 
proxy technology and automatic system hardening and monitoring 

■ Offers a true plug-and-protect solution with quick installation, pre- 
configured software, and secure remote management 

■ Securely extends networks with a Proxy Secured, IPSec-compliant integrated 
VPN 



Firewall 

The VelociRaptor appliance includes technologies from Symantec's Enterprise 
Firewall to protect enterprise assets and business transactions with one of the 
most secure, high-performance solutions for ensuring safe connections with the 
Internet and between networks. Its unique architecture delivers security and 
speed, providing strong and transparent firewall protection against unwanted 
intrusion without slowing the flow of approved traffic on enterprise networks. 
Features include: 

■ Standard proxies 

These proxies handle common services, such as telnet, HTTP, FTP, 
RealAudio, and others. Standard proxies offer the highest level of logging 
and ease of use. 

Unless specifically stated otherwise, when this manual describes how traffic is 
passed, it does so using standard proxies. 

■ Custom protocols 

You can use the Symantec Raptor Management Console (SRMC) Protocol 
Properties page to configure generic services provided by the hosts residing 
on either side of the gateway. Custom or "generic" service proxies include 
any service not supported by one of the VelociRaptor's proxy server 
applications. 

■ Address transforms 

Address transforms give you the ability to control addressing, letting you 
present routable addresses for connections passing through a system 
interface or secure tunnel. This helps you to route connections to the correct 
destination when your site has addressing overlap issues or other routing 
problems. 



Product Overview 
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■ Configuration reports 

You can generate and print full reports for every configurable item of the 
VelociRaptor appliance. 

■ Defense Against Denial of Service Attacks 

A denial of service attack prevents legitimate users from accessing Internet 
services by consuming network resources with an onslaught of continuous 
service requests. You can configure your VelociRaptor appliance to quickly 
recognize this type of attack and immediately drop all packets coming from a 
hostile source. 

See the Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration 
Guide for more information. 

VPN 

The VelociRaptor appliance includes technology from the Symantec Enterprise 
VPN server, which allows organizations to securely extend their network 
perimeters beyond the enterprise firewall by providing VPN server proxy-secured 
scanning and personal firewall protection via the Symantec Enterprise VPN 
client. A completely integrated and standards-based solution, it allows 
organizations to establish safe, fast, and inexpensive connections, enabling new 
forms of business and secure access to information for authorized partners, 
customers, telecommuters, and remote offices. 

The VelociRaptor appliance uses VPN tunnels to send encrypted and 
encapsulated IP packets over public networks securely to another VPN server. 
Symantec's IPsec-compliant Symantec Enterprise Virtual Private Network 
(SEVPN) Client 7.0 is optional and available with the full VPN function cross 
grade license. 

VPN features include: 

■ VPN policies 

The VelociRaptor appliance ships with pre- configured general VPN policies 
that you can apply to your secure tunnels. 

For example, there are IPsec/IKE policies and IPsec/Static policies. You can 
apply these policies to each IKE or IPsec/Static secure tunnel you create. 

■ Support for third party IKE clients 

VelociRaptor supports scalable policy management for any IKE- compliant, 
third party mobile client through tunnels based on users and user groups. 

See the Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration 
Guide for more information. 
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Product Overview 



Antivirus Scanning 

The VelociRaptor appliance provides antivirus scanning by sending http, ftp and 
smtp files to a remote antivirus scan server running on a Symantec Gateway 
Security appliance. 

High availability/load balancing 

The VelociRaptor appliance provides optional high availability and load 
balancing technology for clustered appliances. In today's business environment, 
Internet access is mission critical. In order to achieve the availability needed while 
also maximizing your throughput, your security gateways require high 
availability and load balancing. This new integrated offering ensures easier setup, 
better performance, and higher security than other high availability/load 
balancing solutions on the market. 

When two or more VelociRaptor appliances are available, the failure of one 
appliance causes the other appliance(s) to automatically pickup the workload of 
the failed appliance. Appliances in a cluster also share the traffic load to maintain 
high throughput. 

Symantec Raptor Management Console 

The Symantec Raptor Management Console (SRMC) is the graphical user 
interface for managing and monitoring all functions on the VelociRaptor 
appliance. 



Product Overview 
Appliance models and specifications 
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Appliance models and specifications 

There are three VelociRaptor appliance model; 1100, 1200 and 1300. 



Model 1100 



50 node license 

Four 10/ 100Base-T Ethernet network interfaces 
Serial console interface 

Serial port for uninterruptible power supply (UPS) 
LCD display and keypad for easy set-up 
Six status indicator LEDs 
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Figure 1-1 



VelociRaptor appliance Model 1100 



Note: The VelociRaptor appliance ships with either high encryption (3DES/AES) 
or DES encryption. 



Table 1-1 Model 1 100 specifications 


Parameter 


Specification 


Dimensions 


17.00 in. x 12.50 in. x 1.75 in. (43.2 cm x 31.8 cm x 4.5 
cm) 

Fits a standard 19 in. equipment rack; single rack unit 
height 


Weight 


9 lbs 3 oz. (4.2 kg) 


Network interfaces 


Four 10/ 100Base-T Ethernet connections 


User interface 


2 in. x 16 in. liquid crystal display on front panel 

LEDs: transmit/receive, link, collision, 100 M, disk 
activity, temperature 
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Product Overview 

Appliance models and specifications 



Parameter 



Specification 



Operating environment 


32° to 108° F (0° to 40° C) 

10% to 90% humidity (non-condensing) 


Power requirements 


Input rating 100-240V, 50/60Hz 


Maximum power 
consumption 


50 watts 



Model 1200 



Model 1300 



250 node license 

Four 10/ 100Base-T Ethernet network interfaces 
Serial console interface 

Serial port for uninterruptible power supply (UPS) 
LCD display and keypad for easy set-up 
Six status indicator LEDs 



Unlimited node license 

Four 10/100Base-T Ethernet network interfaces 
Serial console interface 

Serial port for uninterruptible power supply (UPS) 
LCD display and keypad for easy set-up 
Six status indicator LEDs 
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Figure 1-2 VelociRaptor appliance Model 1300 
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Table 1-2 Models 1200 and 1300 specifications 



Parameter 


Specification 


Dimensions 


17.50 in. x 22.75 in. x 1.75 in. (44.5 cm x 57.8 cm x 4.5 
cm) 

Fits a standard 19" equipment rack; single rack unit 
height 


Weight 


20 lbs (9 kg) 


Network interfaces 


Four 10/ 100Base-T Ethernet connections 


User interface 


2x16 liquid crystal display on front panel 

LEDs: transmit/receive (2), link (2), disk activity (1), 
temperature 


Operating environment 


32° to 95° F (0° to 35° C) 

10% to 90% humidity (non-condensing) 


Power requirements 


Input rating 100-240V, 50/60Hz 


Maximum power 
consumption 


100 watts (typical), 130 watts (max) 



Documentation 

The VelociRaptor appliance functionality is described in three manuals: 

■ The Symantec VelociRaptor 1.5 Appliance Implementation Guide 

This guide covers all the functionality of the VelociRaptor appliance except 
firewall and VPN features. 

■ Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration 
Guide 

This guide covers topics related to the firewall and VPN features, including: 
base components, access controls, secure tunnels, VPN policies, remote 
policies, and monitoring controls. It is provided in PDF format on the 
VelociRaptor appliance Software CD-ROM. 

■ Symantec Enterprise Firewall, Symantec Enterprise VPN, and VelociRaptor 
Firewall Appliance Reference Guide 

This guide provides advanced technical information about network security 
and advanced configuration examples. 
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Product Overview 
Checking the hardware 



You will need to use all these manuals to fully configure and manage the 
VelociRaptor appliance. 

Checking the hardware 

After carefully unpacking the VelociRaptor appliance, compare the actual kit 
contents with Table 1-3 to ensure that you have received all ordered components. 
Follow the instructions on the Quick Start Card to install and set up the 
appliance. 

Components list 

The VelociRaptor appliance ships with the components listed in the Table 1-3. 
Table 1-3 Components list 



Part 


Description 


VelociRaptor appliance 


A single device, rack-mount or stand-alone 


Five rubber feet 


For resting the appliance on a flat surface 




Note: Models 1200 and 1300 do not come with rubber 




feet. 


Rack- mount brackets 


Hardware for rack-mounting the appliance 



Product Overview 
Components list 


Part 


Description 


Software CD-ROM 
containing: 


■ Symantec Raptor Management Console (GUI) 

■ Adobe Acrobat Reader 

■ Remote log tools 

■ FTP client software 

■ Microsoft Management Console® (MMC) 1.2 
software 

■ Appliance operating system restore program 
The following documentation in PDF format: 

■ VplnnR fltitnr 7 S At)t)]invtrp Tmfilpmpntfitinw Crintip 

■ Symantec Enterprise Firewall and Symantec 
Enterprise VPN Configuration Guide 

■ Symantec Enterprise Firewall, Symantec Enterprise 
VPN, and VelociRaptor Firewall Appliance Reference 
Guide 

■ Quick Start Card 


License Key form 


A form which provides the license serial number and 
directions on how to obtain the license key. This form also 
contains the license for the appliance. 


Power cord 


A power cord required for the country in which the 
appliance will operate. Available country cord types are: 
Australia, Euro, UK, and USA. 


Printed documentation 


■ VelociRaptor 1.5 Appliance Implementation Guide 
m Quick Start Card 

■ Release Notes 
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Installation 

This chapter describes the following procedures: 

■ Installing the VelociRaptor appliance models (1100, 1200 and 1300) as a 
rack-mounted component or as a stand-alone device 

■ Connecting the VelociRaptor appliance to your network 

■ Performing the initial setup of your VelociRaptor appliance 



Note: Installation procedures differ for VelociRaptor appliance model 1 100, and 
the 1200 and 1300 models, due to the different layouts of their front and back 
panels. 



Cautions and warnings 

Because this is an electrically powered device, adhere to the listed warnings and 
cautions when installing or working with the VelociRaptor appliance. 



Warning: Read the installation instructions before connecting the system to its 
power source. Refer to Important safeguards on page 165 for information 
regarding the setup and placement of the VelociRaptor appliance. 



Stand-alone hardware installation 

The VelociRaptor appliance model 1 100 ships with five rubber feet for use when 
the appliance is set up as a freestanding unit. 



Note: Models 1200 and 1300 do not come with rubber feet. 
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Installation 

Stand-alone hardware installation 



To install the VelociRaptor appliance as a stand-alone device 

1 Make sure that the installation site has a smooth and level surface, such as the 
top of a computer table. Also, avoid placing the VelociRaptor appliance in an 
area with a lot of clutter, such as books or other hardware devices. 

2 Attach the rubber feet to the five indentations on the bottom of the 
appliance. See Figure 2-1. 




Figure 2-1 Freestanding Model 1100 with rubber feet 

3 Place the unit in a secure location away from busy areas. The installation site 
must meet minimum environmental specifications as described in Table 1-1. 

4 Check that the power source is adequate for the VelociRaptor appliance and 
that the outlet is located within reach of the supplied power cord without 
stretching or putting strain on the cord. Refer to Connect model 1 100 to the 
network on page 20 or Connect models 1200 and 1300 to the network on 
page 22 for details on attaching signal cables. 

Warning: Do not use an extension cord to supply power to this unit. 
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After cabling the unit into the network, properly dress the cables and 
position them away from foot traffic to avoid a potential tripping hazard. 



Installation 
Rack-mount instructions 
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Rack-mount instructions 

The following rack-mount instructions apply to all appliance models. 



Note: Because rack hardware can differ from site to site, the screws shipped with 
the unit may not be of the proper thread size for your needs. Before proceeding, 
obtain screws of the proper size and length for your rack installation. 



To mount the appliance in a standard 19-inch equipment rack 

1 Connect the mounting brackets to the sides of the appliance towards the 
front or the rear of the case. See Figure 2-2. 




■ ■■■■■■■■■■II I 1 



Figure 2-2 Rack-mount bracket installation 

2 Secure the mounting brackets to the equipment rack. See Figure 2-3 or 
Figure 2-4. 



Installation 

Rack-mount instructions 




Figure 2-4 



Rack-mount rack installation - back 



Installation 
Back panel of model 1100 



Back panel of model 1100 

This section describes the features of the back panel of the VelociRaptor 
appliance model 1100. 

1 2 3 1 
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Figure 2-5 Model 1100 back panel 

Table 2-1 describes the features of the Model 1 100 back panel. 

Table 2-1 Model 1100 back panel features 



Location 


Description 


1 


The Cooling fans maintain a proper operating temperature. Ensure that 
the ventilation holes in the front and back are not blocked. 


2 


The Auxiliary 2 network connector enables Ethernet network connection 
and accepts the 10/100Base-T network cables. 


3 


The Auxiliary 1 network connector enables Ethernet network connection 
and accepts the 10/100Base-T network cables. 


4 


The Serial console port (155200 bps) allows you to connect a terminal 
emulator to act as a system console. This lets you log on to the system 
console and access the appliance Linux OS locally. For serial cable 
specifications see Serial 9-Pin Cable Specifications on page 179. 


5 


The Serial connector allows you to connect a UPS to the serial port for 
smart UPS support (See Connect an uninterruptible power supply on page 
23). 


6 


Outside Network connection (eth 1) enable Ethernet network connections 
and accept the 10/100Base-T network cables. 


7 


Inside Network connection (eth 0) enable Ethernet network connections 
and accept the 10/ 100Base-T network cables. 



Installation 

Connect model 1100 to the network 



Table 2-1 Model 1100 back panel features (Continued) 



Location Description 



8 


The Power switch toggles the power on or off. 


9 


The Power socket receives the AC cord that is provided. 



Connect model 1100 to the network 

The VelociRaptor appliance model 1100 back panel provides a total of four 
Ethernet connections. Your network connection requirements may differ 
depending on your site's configuration. Refer to Figure 2-5 for the connection 
instructions below. 

To connect your network 

1 Plug the RJ-45 connector from the Internet into the outside network 
connection (6). 

2 Plug the RJ-45 connector from the LAN into the inside network connection 
(7). 

3 Plug the RJ-45 connector from any other service network (if present) into the 
Aux 1 network connection (3). 

4 Plug the RJ-45 connector from any other service network (if present) into the 
Aux 2 network connection (2). 

Connect power cord to model 1100 

To connect power to the appliance model 1100 

1 Plug the power cord into the appropriate connector on the rear panel (9). 

2 Connect the power supply cord from the appliance to an electrical outlet or 
UPS supply unit. 

For UPS configuration details, see Connect an uninterruptible power supply on 
page 23. 



Installation 
Power on the model 1100 
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Power on the model 1100 

Turn on the power by pressing the On/Off switch on the back of the VelociRaptor 
appliance. You will know it has powered up properly if: 

■ The hard disk spins up, the fans turn on, and the LCD screen lights up. 

■ A number of status messages are displayed on the LCD screen as the 
appliance completes its boot process. 

Back panel of models 1200 and 1300 

This section describes the features of the back panel of the VelociRaptor 
appliance models 1200 and 1300. 
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Figure 2-6 


Models 1200 and 1300 back panel 


Table 2-2 


Models 1200 and 1300 back panel features 


Location 


Description 


1 


The Power socket receives the AC cord that is provided. 


3 


The Universal Serial Bus (USB) port is not currently supported. 


4 


Auxiliary 1 and Auxiliary 2 network connectors enable Ethernet network 
connections and accept the 10/ 100Base-T network cables. 


5 


The Serial connector allows you to connect a UPS to the serial port for 
smart UPS support. See Connect an uninterruptible power supply on page 
23. 



Installation 

Connect models 1200 and 1300 to the network 



Table 2-2 


Models 1200 and 1300 back panel features 


Location 


Description 


6 


The Serial console port (155200 bites per second) allows you to connect a 
terminal emulator to act as a system console. This lets you log on to the 
system console and access the appliance Linux OS locally. For serial cable 
specifications see Serial 9-Pin Cable Specifications on page 179. 


7 


Outside Network connection (eth 1) enable Ethernet network connections 
and accept the 10/ 100Base-T network cables. 


8 


Inside Network connection (eth 0) enable Ethernet network connections 
and accept the 10/100Base-T network cables. 


9 


The Security lock hole is used to lock the unit to a secure location. 



Connect models 1200 and 1300 to the network 

The VelociRaptor appliance models 1200 and 1300 back panel provide a total of 
four Ethernet connections. Your network connection requirements may differ 
depending on your site's configuration. Refer to Figure 2-6 for the connection 
instructions below: 

1 Plug the RJ-45 connector from the Internet into the outside network 
connection (6). 

2 Plug the RJ-45 connector from the LAN into the inside network connection 
(7). 

3 Plug the RJ-45 connector from any other service network (if present) into the 
Aux 1 network connection (3). 

4 Plug the RJ-45 connector from any other service network (if present) into the 
Aux 2 network connection (3). 



Connect the power cord to models 1200 and 1300 

To connect power to appliance models 1200 and 1300 

1 Plug the power cord into the appropriate connector on the rear panel (1). 

2 Connect the power supply cord from the appliance to an electrical outlet or 
UPS supply unit. 

For UPS configuration details, see Connect an uninterruptible power supply on 
page 23. 
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Power on the models 1200 and 1300 

Turn on the power by pressing the On/Off button on the front of the 
VelociRaptor appliance models 1200 and 1300. You will know the box has 
powered on properly if: 

■ The hard disk spins up, the fans turn on, and the LCD screen lights up. 

■ A number of status messages are displayed on the LCD screen as the 
appliance completes its boot process. 

Connect an uninterruptible power supply 

When the VelociRaptor appliance is configured to use an UPS, the appliance can 
power down in an orderly manner in the event of a power failure. The appliance 
communicates directly to the UPS unit through the serial port. 

The recommended supplier for UPS units is American Power Conversion 
(www.apcc.com). 

To configure VelociRaptor for UPS support 

1 Plug the UPS into the wall socket. 

2 Turn on the UPS. 

3 Plug the VelociRaptor appliance into the UPS power socket. 

4 Connect the UPS serial cable to the UPS unit and the VelociRaptor 
appliance. 

Refer to Figure 2-5 for the location of the UPS port (5) on the model 1 100 
back panel. 

Refer to Figure 2-6 for the location of the UPS port (4) on the models 1200 
and 1300 back panel. 



Note: To configure UPS support on the VelociRaptor appliance, access the 
System Menu, as described in Use the system menu on page 39. You can also turn 
UPS support on from the Symantec Raptor Management Console VelociRaptor 
Setup wizard. See Setup wizard on page 50. 
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This chapter describes the procedures for configuring the VelociRaptor appliance 
network parameters for use with the Symantec Raptor Management Console 
(SRMC), installing the Symantec Raptor Management Console, connecting the 
Symantec Raptor Management Console to the appliance, and running the Setup 
Wizard. This chapter also describes the various VelociRaptor appliance hardware 
features. 

VelociRaptor appliance has an integral LCD display located on the front of the 
unit. Using the appropriate buttons, you can enter basic configuration 
information into the VelociRaptor appliance, as well as monitor certain system 
operating parameters. 



The VelociRaptor appliance model 1100 front panel, as shown in Figure 3-1, 
contains six data entry and navigation keys and a two line by 16 character liquid 
crystal display area. The initial configuration of the VelociRaptor appliance takes 
place at the unit's front panel, where you enter and modify parameters such as 
system and network IP addresses. 



Front panel layout - model 1100 
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Figure 3-1 



VelociRaptor appliance model 1100 front panel 



Table 3-1 



Model 1100 front panel descriptions 



Front panel 
locations 



Description 



The Status Indicators signal Ethernet and hard drive activity: 

■ Tx/Rx (Transmit/Receive) blinks when there is network traffic on 
the inside interface. 

■ Link indicates an active network connection on the inside 
interface. 

■ Col blinks when a collision is detected on the inside interface. 

■ 100 M indicates that 100 Base-T Ethernet is being used on the 
inside interface. 

■ Disk indicates hard disk activity on the hard disk drive. 



The Temp indicator blinks to indicate temperature status, blinking 
slowly for temperature warnings and quickly for temperature failures. If 
the VelociRaptor appliance is in danger of overheating, a log message is 
sent to Symantec Raptor Management Console. 



The Liquid Crystal (LCD) screen displays the VelociRaptor version 
number and system health monitoring information. 

The LCD screen is the same on all models. Although relatively small in 
size, it allows you to monitor appliance status, modify configuration 
parameters, and re-initialize the appliance. The available LCD screen 
displays include: 

■ System startup self-tests 

■ Performance monitoring 

■ System menu (see Use the system menu on page 39) 
As the appliance boots up, the LCD displays status messages. 
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Table 3-1 Model 1100 front panel descriptions 



Front panel Description 
locations 



4 


The factory reset pinhole, when pressed, resets the VelociRaptor Model 
1 100 appliance in the following manner: 

■ Network IP address information is erased. 

■ Symantec Raptor Management Console workstation connection 
information is erased. 

■ License information remains intact. 


5 


The front panel push buttons let you enter network information 
directly into the appliance (see Front panel controls on page 29). 



Front panel layout - models 1200 and 1300 

The VelociRaptor appliance models 1200 and 1300 front panel, as shown in 
Figure 3-2, contains six data entry and navigation keys and a two line, 16 
character liquid crystal display area. The initial configuration of the VelociRaptor 
appliance takes place at the unit's front panel, where you enter and modify 
parameters such as system and network IP addresses. 
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Figure 3-2 VelociRaptor appliance model 1200 and 1300 front panel 



Table 3-2 


Model 1200 and 1300 front panel descriptions 


Front panel 
locations 


Description 


1 


The Status Indicators signal network activity, Ethernet connections, 
and hard disk drive activity. 

*j vv The network activity indicator blinks when there is 
vC* • *JW traffic on the network interfaces (labeled 0 for outside 
and 1 for inside). 

f"\ The Ethernet connections indicator glows steadily to indicate an 
active connection on the network interfaces (labeled 0 for 
outside and 1 for inside). 

The hard disk drive activity indicator blinks when there is 
g activity on the hard disk drive (labeled 0, 1 through 3 are not 
used). 


2 


The Temp indicator blinks to indicate temperature status, blinking 
slowly for temperature warnings and quickly for temperature failures. If 
the VelociRaptor appliance is in danger of overheating, a log message is 
sent to the Symantec Raptor Management Console. 


3 


The Power button turns the power to the appliance on and off. 
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Table 3-2 Model 1200 and 1300 front panel descriptions 



Front panel Description 
locations 



4 


The LCD screen displays the VelociRaptor appliance version number 
and system health monitoring information. 

The LCD screen is the same on all models. It allows you to monitor 
appliance status, modify configuration parameters, and re-initialize the 
appliance. The available LCD screen displays include: 

■ System startup self-tests 

■ Performance monitoring 

■ System menu (see Use the system menu on page 39) 
As the appliance boots up, the LCD displays status messages. 


5 


The front panel push buttons let you enter network information 
directly into the appliance (see Front panel controls on page 29). 



Front panel controls 

The front panel controls are the same on all models. Use the following push 
button instructions to enter all required setup information (detailed in the Initial 
network configuration procedure on page 35) into the VelociRaptor appliance. 



Note: The front panel buttons perform dual functions. These functions depend 
upon whether the appliance is in initial setup mode (see Initial network 
configuration procedure on page 35), or if the system menu has been entered (see 
Use the system menu on page 39). Refer to the bulleted descriptions below. 
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Figure 3-3 Front panel controls 

Up ( A ) and down (v) arrow buttons: 

Use these buttons to increment and decrement the current number displayed on 
the LCD or to move to the previous menu item ( A ) or to the next (v) menu item. 

Left (<) and right (>) arrow buttons: 

Use the left (<) and right (>) arrow buttons to move across the LCD panel or to 
move to the previous menu item (<) or to the next (>) menu item. 
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E (Enter) button: 

Use the E button to launch the System Menu when the appliance is in monitoring 
mode, and also to accept the current value displayed in the LCD when entering 
information. 

S (Select) button: 

Use the S button to cancel out of a menu item and return to the top menu level. 

Network address information 

When the appliance boots for the first time, you must enter the network address 
information of the Symantec Raptor Management Console that will manage the 
appliance. Refer to the network configuration in Figure 3-4 for the examples of 
address setup instructions. 
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192.168.3.10 192.168.3.11 192.168.3.12 
Figure 3-4 VelociRaptor appliance protected network 

Network configuration worksheet 

During the VelociRaptor appliance setup process, you are prompted to enter 
network address information. Once those addresses are entered, VelociRaptor' 
LCD panel displays three passwords that you will need to initiate remote 
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management. Use the worksheet on the next page to make note of these 
passwords. Passwords can be changed once you have set up the Symantec Raptor 
Management Console to begin remote management. For details on changing 
passwords, see Managing passwords on page 106. 

Store this completed form in a secure location. This form can serve as a 
permanent record for each VelociRaptor appliance installed at your site. For 
details on the worksheet items listed below, see Initial network configuration 
procedure on page 35. Make a copy of this worksheet to record the output data. 



34 



Initial Setup 

Network configuration worksheet 



Network configuration worksheet 

User input during initial setup: 

Interface IP address 

Netmask 

Gateway address 

SRMC address 

VelociRaptor appliance output during initial setup: 

SRMC password 1 

SRL (Secure Remote Login) password 1 

Root password 1 

System ID 



Passwords are output during the hardware configuration process 



Initial Setup 

Initial network configuration procedure 



35 



Initial network configuration procedure 

The VelociRaptor appliance first prompts you to enter the IP address of the 
network port that will communicate with the Symantec Raptor Mobile Console. 

To perform the initial network appliance configuration 

1 Press the E (Enter) button to start the appliance initial setup. 

2 Choose whether the Symantec Raptor Management Console system is inside 
[In] the network protected by VelociRaptor appliance or outside [Out] the 
network. 

SRMC location: 
[In] Out 

By default, [In] is selected. Either press the E button to accept this default or 
press the right arrow (>) key to select [Out] for outside. Then press the E 
button to enter your selection. 

For the network in Figure 3-4, you would select [Out]. All address 
information you enter in the next steps is applied to the interface you select 
here. 

3 Enter the VelociRaptor appliance IP address for the interface selected. Use the 
arrow buttons on the front panel to enter all data. Press the E button to move 
to the next LCD screen when the data is complete. (For button operation 
instructions, see Front panel controls on page 29). 

IP Address: 

000.000.000.000 

This is the VelociRaptor appliance interface address that is closest to the 

managing Symantec Raptor Management Console. 

For the network in Figure 3-4, you would enter 169 . 254 .0.1. 

Note: If the Symantec Raptor Management Console is offsite (as in Figure 3- 
4) or simply not behind the designated VelociRaptor appliance, enter the 
outside interface IP address. If the Symantec Raptor Management Console is 
behind the VelociRaptor appliance, enter the appropriate inside interface IP 
address. 

4 Enter the netmask address for the IP address you just entered. 
Netmask: 

000.000.000.000 

For the network in Figure 3-4, you would enter 255.255.255.0 as the 
netmask. 
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5 Enter the Gateway address to serve as the default gateway for the 
VelociRaptor appliance. 

If you have an internal Symantec Raptor Management Console behind an 
internal router, you must enter the IP address of the router interface through 
which the Symantec Raptor Management Console can be reached so that you 
can configure it from outside the internal network. If you do not have a 
default route, but you have an Symantec Raptor Management Console on 
your subnet, you can add this route later. 
Gateway Address: 
000.000.000.000 

For the network in Figure 3-4, you would enter 169.254.10.254. 

Note: If the Symantec Raptor Management Console is behind the 
VelociRaptor appliance and on the same subnet, you do not have to enter a 
Gateway Address. You can move past this address without changing it by 
pressing the E button; static or default routes can be configured at a later 
time. 



Now that VelociRaptor appliance has the network configuration information 
it needs to locate the managing Symantec Raptor Management Console, you 
must enter the IP address of the Symantec Raptor Management Console host 
and make note of the remote management passwords. 

6 Enter the Symantec Raptor Management Console host address for the 
Symantec Raptor Management Console host system. 
SRMC IP Address: 
000.000.000.000 

For the network in Figure 3-4, you would enter 169 . 254 .10.1 



Caution: Once you enter the Symantec Raptor Management Console system 
IP address, the VelociRaptor appliance calculates and displays your remote 
management passwords. You MUST make note of these passwords. You can 
change them later, but you will need them to start the first remote 
management sessions between the Symantec Raptor Management Console 
and the VelociRaptor appliance. 

7 The Symantec Raptor Management Console password displays. 
SRMC Password: 
ltbcfetglzha (for example) 

Record this password in the Network configuration worksheet on page 32 
and press the E button to accept it. 
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Later, you will enter this password into the Symantec Raptor Management 
Console login screen to begin a remote management session between the 
Symantec Raptor Management Console and the appliance. After you initially 
login, you can change this password using the Remote Management 
Passwords feature of Symantec Raptor Management Console. 

8 The SRL password displays. 
SRL Password: 
xxdmmfsb (for example) 

Record this password in the Network configuration worksheet on page 32 
and press the E button to accept it. 

Secure Remote Login (SRL) enables a user on an authorized remote system 
to login to the VelociRaptor appliance and edit VelociRaptor appliance files, 
reboot the machine, or perform other troubleshooting or debugging tasks 
that are unrelated to normal VelociRaptor appliance operations. All remote 
traffic is encrypted. 

To make an SRL connection from an authorized client to the VelociRaptor 
appliance, see Connect to VelociRaptor 1.5 appliance on page 48. 

9 The Root password displays. 
Root Password: 
h7vuvaxf (for example) 

Record this password in the Network configuration worksheet on page 32 
and press the E button to accept it. 

This password is used to connect directly to the Linux OS through the serial 
port. 

You should record this password, but Symantec recommends that you do not 
use it to connect directly to the system. Provide this root password to 
customer support if your machine requires maintenance. 



Note: You cannot change your passwords on the VelociRaptor appliance 
itself. 



10 The System ID displays. 
System ID is: 
428a0d60(for example) 

You provide this System ID to Symantec to obtain your license key (see Get 
your license key on page 40 for information on obtaining a license key). 
Write the System ID on the worksheet provided in this manual and press the 
E button. 

1 1 You are next asked if you would like to save your setup information. 
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Save Setup? 
Yes [No] 

By default, No is selected. If you press the E button here to enter No, 
VelociRaptor restarts the setup procedure and you must re-enter your 
network information. 

To save your setup data, press the left (<) arrow key to select Yes and press E 
to save it. When you press E, the following message should display: 
Saving Config... 
Config Saved! 

12 Press and hold down the E button to reboot. 

The VelociRaptor appliance is now ready to be configured using the 
Symantec Raptor Management Console. For more information see Chapter 
4, Firewall. 



Display system information 

Once the initial network configuration is complete, and the appliance is rebooted, 
the LCD enters a monitoring mode that it remains in during normal system 
operations. When in monitoring mode, the VelociRaptor appliance alternately 
displays system information related to the health and status of the appliance. 

It displays date, time, and status in this manner: 
Nov 14 14:00:00 
System: OK 

The LCD next displays system version and resource utilization information: 
V 1.5 (running) 
CPU: 40% Log: 20% 

Finally, the LCD displays the network interface load information (in packets per 
second): 

In: 0/s 

Out: 0/s 



Auxl: 0/s 
Aux2: 0/s 



Initial Setup 
Use the system menu 



39 



These interfaces are generally configured as follows: 
In: = Inside Interface = (ethO) 
Out: = Outside Interface = (ethl) 
Auxl: = Auxiliary 1 Interface = (eth2) 
Aux2: = Auxiliary 2 Interface = (eth3) 

Use the system menu 

When the VelociRaptor appliance is up and running, you can access the system 
menu on the appliance by pressing the E button on the front panel. You can select 
a system menu option by pressing the E button again or continue to the next 
system menu entry by pressing either the down (v) arrow key or the right (>) 
arrow key. For descriptions of the buttons on the VelociRaptor appliance front 
panel and the functions they perform see Front panel controls on page 29. 

The available System Menu options are: 

1 . Network Setup 

When you select this menu item, you are prompted to re-enter or change 
network settings configured during the initial setup process. To continue to 
the next system menu entry, press either the down (v) arrow key or the right 
( >) arrow key. 

2. Reboot 

When you select this menu item, you are prompted to select Yes or No. No is 
selected by default. To reboot, use an arrow button to move the cursor to Yes 
and press the E button to enter it. 

3. Shutdown 

When you select this menu item, you are prompted to confirm system 
shutdown. Select Yes or No. Press the E button again to enter your selection. 

4. UPS setup 

When you select this menu item, UPS (Uninterruptible Power Supply), you 
are prompted to choose start or stop. To use a UPS unit, select start and press 
the E button. 

5. System ID 

Selecting this menu item causes the VelociRaptor appliance to display the 
system's ID. You need to provide this system ID to Symantec to obtain a 
license key. 

Press the E button to return to the system menu once the system ID is 
displayed on the LCD. Press either the down arrow (v) key or the right arrow 
(>) key to move to the next menu item. 



40 



Initial Setup 

Get your license key 



6. Factory reset 

If you select this menu item, you are prompted to confirm with Yes or No. If 
you select Yes the VelociRaptor appliance resets in the following manner: 
Network IP address information is erased. 

Symantec Raptor Management Console workstation connection 
information is erased. 

License information remains intact. 

Caution: If you choose Yes, the appliance returns to its default state. This is 
the state it was in when you first received the appliance. All network 
information you have entered is lost as well as any configuration data. Only 
licensing information is retained. 



7. LCD Lock 

If you have enabled front panel keypad locking in system properties, selecting 
this item will disable the front panel controls. To unlock the LCD lock, press 
any button on the front panel and enter the Root password for the appliance. 



Note: The front panel buttons can be locked from the Symantec Raptor 
Management Console. This disables the use of the buttons until the proper 
password is entered using the buttons. See Use a locked keypad on page 122. 



Get your license key 

You can use the VelociRaptor appliance without a license key for a 30 day grace 
period. At any point during those 30 days, you can contact Symantec for a license 
key for a purchased system. There are two methods for obtaining your license 
key: 



Online 



To get your license key, use the online license key generator from the Symantec 
licensing and registration site at www.symantec.com/certificate. 



The VelociRaptor appliance comes with the VelociRaptor License Key Request. 
This form provides a number where you can fax your license key request in the 
event that you cannot use the online method. 
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You must provide the VelociRaptor appliance System ID and the VelociRaptor 
product software serial number whenever requesting a license key or technical 
support. 

■ Obtain the System ID during the initial appliance setup procedure, as 
described in Initial network configuration procedure on page 35, or access it 
from the appliance System Menu described in Use the system menu on page 
39. 

■ Locate the product serial number on the VelociRaptor License Key Request 
form. 

After you obtain your license key, you can enter it as part of the VelociRaptor 
Symantec Raptor Management Console Setup Wizard procedure (see QuickStart 
wizard on page 57). If you do not enter the license key in the Setup Wizard during 
the initial configuration procedure, use the Symantec Raptor Management 
Console System Properties to enter your license key at a later time. 

Restoring the VelociRaptor 1.5 appliance operating 
system 

The VelociRaptor CD-ROM ships with the VelociRaptor appliance and contains 
a VelociRaptor appliance operating system restore program. In the unlikely event 
that a complete reinstallation of the software is required, you can boot this CD- 
ROM in a PC connected to the appliance. 



Caution: Before you use this procedure, contact Customer Support as this 
operation will result in the complete overwriting of your existing VelociRaptor 
1.5 appliance configuration. All configuration data will be lost. 



The requirements for the PC running the operating system restore program are: 

■ An industry standard PC whit a BIOS that allows you to boot from a CD- 
ROM 

■ An installed 100 MB network interface card 

■ Either a crossover cable to connect the VelociRaptor appliance directly to the 
network interface on the PC or a connection to a switch or hub to which the 
appliance is attached 



Note: Laptop PCs may not run the restore program properly. 
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During the restore process, the appliance may automatically reboot itself and 
perform other installation tasks. This process must be allowed to complete 
without interruption for a successful restore of the appliance software to its 
original factory condition. This process may take 15 minutes. 

To restore the appliance operating system 

1 Press any button on the front panel of the appliance until the System Menu 
displays on the LCD screen. 

2 Press the down (v) arrow button until the Shutdown option appears. 

3 Select the Shutdown option by pressing the E button. 

4 When prompted, turn off the power using the power switch. 

5 Insert the VelociRaptor CD-ROM into the CD-ROM drive of your PC. 

6 Reboot your PC (turn off and restart) with the VelociRaptor CD in the CD 
drive. Wait until the PC is rebooted before proceeding. 

7 Turn on the power to VelociRaptor appliance using the power switch while 
pressing and holding down the Select (S) button on the LCD console. 

8 Continue holding down the Select (S) button until "Select Option:" appears 
on the LCD display. 

9 Press and release the Select (S) button until the "Boot From Net" option 
appears on the LCD display. 

10 Press and release the Enter (E) button to begin net booting the VelociRaptor 
appliance from the VelociRaptor CD-ROM. The LCD display shows the 
"Loading Kernel. . ." message. 

This step may take 15 minutes, and includes the system rebooting itself. 

1 1 Wait until "PLEASE SWITCH OFF POWER NOW" appears on the LCD 
display. The restore process is now complete. 

12 Turn off the VelociRaptor appliance. 

13 Remove the VelociRaptor CD-ROM from the CD-ROM drive on your PC. 

14 Restart your PC without VelociRaptor CD-ROM in the PC to return it to 
normal service. 

15 Turn on the VelociRaptor appliance and perform the initial setup process 
again. For more information see Initial network configuration procedure on 
page 35. 

The VelociRaptor appliance is managed from a computer on your network using 
the Symantec Raptor Management Console Graphical User Interface. 
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The Symantec Raptor Management Console installs on a Windows NT or 
Windows 2000 machine, and can manage all VelociRaptor appliance functions, 
including secure tunnels and hardware system management such as reboots or 
shutdowns. You can use the same Symantec Raptor Management Console to 
manage a mixture of VelociRaptor (versions 1.0, 1.1 and 1.5) appliances, 
Symantec Gateway Security appliances and Symantec Enterprise Firewalls. 

The Symantec Raptor Management Console provides automated wizards for: 

■ VelociRaptor Setup 

■ QuickStart 

■ SMTP 

■ S2S (Site to Site) Tunnel 

■ VPN Client Tunnel 

■ Cluster 

These wizards help you get your VelociRaptor appliance up and running quickly 
and easily. You can immediately begin securely passing traffic to and from your 
protected network. 

Install Symantec Raptor Management Console 

Install the Symantec Raptor Management Console on a system which meets the 
following hardware and software requirements: 

Hardware Requirements 

■ Industry Standard PC 

■ 233 MHz Pentium II or higher 

■ 128 MB RAM 

■ 20 MB disk space 

■ Ethernet card 

■ Windows NT 4.0 workstation or server with Service Pack 6a or Windows 
2000 Professional or Server with Service Pack 2. Service packs can be found 
on the Microsoft Website at http://support.microsoft.com. The system on 
which you install Symantec Raptor Management Console can not be a 
backup or Primary Domain Controller (PDC). 
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■ The system must be listed on the Microsoft Windows NT 4.0 or Windows 
2000 Hardware Compatibility List (HCL). Check the Microsoft Web site at 
http://www.microsoft.com. 

■ You must have a color monitor with a minimum resolution of 1024x768 
pixels. Click the right mouse button on the background screen and select 
Properties from the list, then choose the Settings tab to view or modify the 
screen resolution. 

Software Requirements 

■ TCP/IP must be installed. 

■ Microsoft Management Console (MMC)1.2 must be installed. The 
executable that is used to install MMC is located on the VelociRaptor CD in 
the following location: ClientSoftware\mmc\immc.exe. 

■ Your system must have Internet Explorer version 5.0 or higher. 

■ The computer must have network connectivity with VelociRaptor appliance. 
Ping an address on the same network as VelociRaptor appliance to check. 

■ Check the release notes and the Symantec Service and Support website 
(www.symantec.com/techsupp/) from time to time to see if new service 
packs are recommended. 

Symantec recommends that the system and Symantec Raptor Management 
Console partition(s) be formatted using NTFS. 

To install Symantec Raptor Management Console 

1 Log on as Administrator. 

2 Insert the VelociRaptor 1.5 appliance distribution CD-ROM. 

3 Use your file browser to locate the Setup.exe file. It is located in the directory 
ClientSoftware\SymantecRMC\3DES (or DES). 

4 Double click on the Setup.exe file. 

The Symantec Raptor Management Console Setup Welcome window 
appears. 

5 Click Next to display the Symantec Raptor Management Console License 
Agreement window. 

6 Read the license agreement, then click Yes to proceed (or No to exit the 
SMRC installation). 

If you click Yes, the Choose Destination Location window is displayed (see 
Figure 3-5). 
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Symantec Raptor Management Console Setup 



Choose Destination Location 

Select folder where Setup will install files. 



Setup will install Symantec Raptor Management Console in the following folder. 

To install to this folder, click Newt. To install to a different folder, click Browse and select 
another folder. 



Destination Folder — 

C:\..ASynnantec\Fiaptor Management Console Browse. 



Installs hield 



< Back 


: NeKt : 


1 


Cancel 



Figure 3-5 Symantec Raptor Management Console Choose Destination 
Location window 

Click Next to accept the default, or specify an alternate directory path. 
The Start Copying Files window is displayed (see Figure 3-6). 
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Symantec Raptor Management Console Setup 



Start Copying Files 

Review settings before copying files. 



Setup has enough information to start copying the program files. If you want to review or 
change any settings, click Back. If you are satisfied with the settings, click Next to begin 
copying files. 

Current Settings: 



Target Directory 

Folder: C:\Program Files\Syrnantec\Flaptor Management Console 
Additional Components 
None | 



UJ 

Installs hield - 



t Back 



Next > 



Cancel 



Figure 3-6 Symantec Raptor Management Console Start Copying Files 
window 

8 Click Next to install Symantec Raptor Management Console and display the 
Setup Status window. See Figure 3-7, which shows the progress of the 
installation. 



Initial Setup 

Install Symantec Raptor Management Console 



Symantec Raptor Management Console Setup 



Setup Status 



Symantec Raptor Management Console Setup is performing the requested operations. 



Installing: 

C:V.ASymantec\Raptor Management Console\bin\raptor65.ico 

22% 



Installs hie Id - 



Cancel 



Figure 3-7 Symantec Raptor Management Console Setup Status window 

When all the files are installed, Symantec Raptor Management Console 
InstallShield Wizard Complete window appears (see Figure 3-8). 
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Connect to VelociRaptor 1.5 appliance 



1 Symantec Raptor Management Console Setup 
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Installs hield Wizard Complete 

The Installs hield Wizard has successfully installed Symantec 
Raptor Management Console. Before you can use the 
program, you must restart your computer. 
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C No J will restart my computer later. 

Remove any disks from their drives, and then click Finish to 
complete setup. 


















Finish j 





Figure 3-8 Symantec Raptor Management Console InstallShield Wizard 
Complete window 

9 Specify whether to reboot now or later, then click Finish. 

10 When you reboot the Symantec Raptor Management Console icon and menu 
items are added to the desktop and programs groups. Use the Symantec 
Raptor Management Console icon or menu items to start Symantec Raptor 
Management Console. 

Connect to VelociRaptor 1.5 appliance 

After rebooting, you are ready to configure the VelociRaptor 1.5 appliance. 
To connect to the VelociRaptor 1.5 appliance 

1 Open Symantec Raptor Management Console by double clicking the 
shortcut icon placed on your desktop during installation. The Console Root 
window opens. 

2 Expand the Symantec Enterprise Management folder. 

3 Click on the Symantec Raptor Management Console icon in the left pane to 
access the Getting Connected taskpad (see Figure 3-9). 
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Figure 3-9 Symantec Raptor Management Console Getting Connected 
taskpad window 

4 Click on the New Connection icon in the Getting Connected taskpad to 
display the Symantec Raptor Management Console logon screen (see Figure 
3-10). 



Symantec Raptor Management Console 



^ Symantec, 



Symantec Raptor Management Console 




Welcome to the Symantec Raptor 
Management Console 



Management Port: \^ 

W Obtain read/write access upon connecting 



OK 



Cancel 



Figure 3-10 Symantec Raptor Management Console logon screen 

Type the IP address of the VelociRaptor appliance interface in the Name field. 
(The IP address you gave the appliance during initial setup.) 
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Initial Setup 
Setup wizard 



6 Type the SRMC Password that the VelociRaptor appliance displayed during 
the initial setup procedure. (See Initial network configuration procedure on 
page 35). 

7 Click OK. 

When you attempt to connect through the Symantec Raptor Management 
Console for the first time, the VelociRaptor appliance Setup Wizard starts 
automatically. It prompts you for required VelociRaptor appliance 
configuration setup information. You must complete this wizard before you 
can begin managing VelociRaptor appliance. See instructions in the next 
section. 



Caution: Anyone who can access the Symantec Raptor Management 
Console can connect to the VelociRaptor appliance once the password has 
been entered. Be sure to keep the password for the administering computer a 
secret. 



Setup wizard 

The VelociRaptor appliance Setup wizard automatically starts when you connect 
to a VelociRaptor appliance for the first time from the Symantec Raptor 
Management Console. The Setup Wizard prompts you for the following setup 
information to run VelociRaptor appliance: 

■ System name 

■ Domain name 

■ Default gateway 

■ License key 

■ System features 

■ Network interfaces 

■ Date and time 



Caution: If you cancel out of this wizard without completing it at least once, you 
cannot connect to the VelociRaptor appliance. You will have to run it again in 
order to access the appliance. Once you have completed the VelociRaptor 
appliance Setup Wizard, you can use the Setup Wizard to edit system 
information at any time. 
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Setup wizard 



To configure the appliance using the Setup Wizard 

1 Click on the VelociRaptor Setup Wizard icon in the Configuring your 
Symantec System window. 

The VelociRaptor Setup wizard automatically starts when you connect to a 
VelociRaptor appliance for the first time from the Symantec Raptor 
Management Console. 



Setup Wizard 




Welcome to VelociRaptor Setup Wizard 



You MUST complete this wizard to begin managing the 

system. 

This wizard configures the following information: 
* system name 
" domain name 
" default gateway 
" license key 
" system features 
" network interfaces 
" system date and time 

If you cancel out of this wizard without completing it at least 
once, you cannot connect to the system. 

Click Next to continue. 



< Back 



Next > 



Cancel 



Figure 3-11 Setup Wizard Welcome page 
2 Click Next to began using the Setup Wizard. 



ketup Wizard 




System Ini of nation 

Specify the system information to be used by this system. 






System name: |VRONEFIVE 






Domain name: |yourdomain.com 


Default gateway IP: | 10. 0 . 0 .22 
License: |eval-pvre36frcd63 

V Lock Front Panel Keyboard 






< Back | Next > j Cancel 





Figure 3-12 Setup Wizard System Information page 

3 Enter a System Name for the VelociRaptor appliance. 

Each appliance ships with a pre-configured system name. You can change 
this name here if necessary. 

4 Type the Domain Name for the system. 

A domain name is displayed by default. Change this to match your domain. 

5 The Default Gateway IP field displays the information you typed during the 
appliance initial setup process. 

You can change this IP address, if necessary. 

6 Type the License Key. To obtain this license key, you must provide your 
System ID and product serial number (see Get your license key on page 40). 
If you do not type a license key here, the VelociRaptor appliance will run for a 
30 day grace period. 

7 Check the Lock Front Panel Keyboard checkbox if you want to disable the 
buttons on the front panel of the appliance. 

8 Click Next. 
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Setup wizard 



The System Features page appears. Only features enabled by the license key 
are shown. For more information on System Features see the Product 
Overview on page 5. 



Setup Wizard 



Sjistem Features 

Specify the system features you want to enable on this i 



Check the features you want to enable and clear the features you want to 
disable. The system features shown here are based on the license key in the 
previous page, not the system's current setting. 



ISystem Feature: 



0Firewall/VPN 
0FullVPN Client Support 
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-Description — 
The High Availablity/Load 
Balancing feature supports the use 
of clusters, allowing another system 
to take over the work of a failed 
system and enabling multiple 
systems to share the work load. 




Figure 3-13 System Features page 

9 Un-check any features you do not want to use. 

You can run the Setup Wizard again to enable any feature, or use the System 
Features item under Base Components. 

10 Click Next. 

The Network Interfaces page appears (see Figure 3-14). 
You configured one Ethernet interface, the interface closest to the managing 
Symantec Raptor Management Console system, with an IP address and 
netmask at the front panel during the initial appliance setup procedure. That 
interface should appear in the Setup Wizard Network Interfaces page. 



Setup Wizard 



Hetwoik Interfaces 

Specify the inside and outside network interfaces. 



Network Interfaces: 



Name 


IP Address 


Mask 


1 Type 


| Description 


HethO 


10.1.1.11 


255.0.0.0 


Inside 


Inside Interface 


lethl 


1.0.10.0 


255.0.0.0 


Outside 


Outside Interfa... 1 


■ eth2 






Outside 


Auxiliary ttl Int... 


^jeth3 






Outside 


Auxiliary #2 Int... 


Interface: 


IP address: 


Mask: 


Type: 




|eth1 


| 1 . 0 . 10 . 0 


| 255. 0 


0 . 0 |Outside 


| r Use DHCP 



Apply 



< Back Next > Cancel 



Figure 3-14 Setup Wizard Network Interfaces page 

1 1 From the list of Ethernet interfaces displayed in the Network Interfaces field 
(shown in Figure 3-14), select the interface that you want to configure. 
The VelociRaptor appliance provides a maximum of four Ethernet 
connections. You can configure and edit the Ethernet connections displayed, 
but you cannot add new ones. 

12 After you select the interface to configure, type the interface IP address in the 
corresponding field. 

13 Type the interface netmask. 

14 From the Type pull-down list, select where this interface is on the network 
(Inside or Outside). 



Note: When you configure ethO and ethl interfaces (Inside or Outside), the 
values in this field cannot be changed. 



If you want to enable DHCP (Dynamic Host configuration Protocol) on the 
ethl outside interface, check the Use DHCP check box to enable DHCP. 
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Note: If you enable DHCP on the ethl outside interface, there must be a 
DHCP server running on the outside network for DHCP to work. When you 
enable DHCP, the IP address of ethl will change to 0.0.0.0. 



1 5 Click Apply to accept your edits. 

16 Repeat steps Step 1 1 on page 54 through Step 15 on page 55 for each 
interface you are configuring. Click Next to move to the next page when you 
are finished. 

17 Set the Date and Time (see Figure 3-15). 



Setup Wizard 



System's Date and Time 

Set Date and Time of the system 



17 iSet Date and Time] 



Date and Time: 


1 02/07/2002 14:01 




Timezone: 


| US/Eastern 





< Back Newt > Cancel 



Figure 3-15 Setup Wizard System's Date and Time page 

If the date and time settings are incorrect, click the Set Date and Time check 
box and edit these settings. 

18 Click Next to complete the setup wizard. 

19 Click Finish. 

After you have successfully completed the VelociRaptor appliance Setup 
Wizard, you are prompted to reboot the appliance. When the reboot is 
complete, the VelociRaptor appliance is up and running. 



Note: You must access the logon screen again to connect to the VelociRaptor 
appliance (see Connect to VelociRaptor 1.5 appliance on page 48). 



Once you have completed the VelociRaptor appliance Setup Wizard the first 
time, you can access it again from the Configuring your Symantec System taskpad 
and edit any system information. (See Figure 4-1). 
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Firewall 



The Symantec Raptor Management Console provides two automated wizards for 
setting up the firewall features of the VelociRaptor appliance: 

■ The QuickStart Wizard provides a quick way to configure mail, FTP, and 
Web services for the Firewall. 

■ The SMTP Wizard provides a quick way to configure rules to provide anti- 
spamming and anti-relay protection and prevent your internal mail server 
from being used as a spam relay. 

For setting up firewall configurations beyond those detailed in this chapter, refer 
to the Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration 
Guide, provided on the VelociRaptor CD-ROM as a PDF file. 



Use the QuickStart wizard to quickly set up your mail, FTP, and Web services on 
the firewall of the VelociRaptor appliance. 

After you connect to the VelociRaptor appliance, the configuration taskpad 
appears in the right pane. Click on the QuickStart icon (see Figure 4-1) to access 
the QuickStart wizard. You can re-run the wizard to make changes at any time by 
selecting the VelociRaptor appliance system icon in the left pane. If you have 
taskpads turned on, the configuration taskpad containing the QuickStart wizard 
icon will appear in the right pane. 

The QuickStart wizard gives you two firewall configuration options: 

■ Configure mail services. 

The VelociRaptor appliance's secure Simple Mail Transfer Protocol (SMTP) 
proxy, (SMTPD) enables you to pass SMTP mail by application proxy. 
SMTPD supports transparent addressing, allowing authorized internal 
systems to contact external systems directly. It also checks all traffic entering 



QuickStart wizard 
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Firewall 

QuickStart wizard 



and leaving your domain for known sendmail attacks, and it uses heuristics 
to detect and record new types of attacks. The QuickStart wizard can prepare 
all these configurations for you. 



Note: You can use the SMTP Wizard to set up your mail server with anti- 
spamming parameters without configuring Web access as well. (See SMTP 
Wizard on page 63). 



■ Configure the appliance to allow inside users to access Web and File Transfer 
Protocol access (FTP) services. At this point, your inside machines are cut off 
from the Internet. Allowing HTTP and FTP access involves creating two 
simple rules called interface-based rules. They allow Web and FTP for your 
inside users. The QuickStart wizard creates these rules for you. 

To use the Quickstart wizard for VelociRaptor appliance firewall setup 

1 In the left pane, select the icon of the VelociRaptor appliance for which you 
are configuring mail and/or Web access to display in the right panel the 
Configuring your Symantec System taskpad (see Figure 4-1). 

If the taskpad is not displayed, pull down the View menu and choose 
Taskpad. 

You can re-enter the wizard to make changes at any time, by selecting the 
system icon to display the Configuring your Symantec System Taskpad. 



Firewall 
QuickStart wizard 
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Figure 4-1 Configuring your Symantec System taskpad 

Click the QuickStart icon in the taskpad. The Welcome to the QuickStart 
Wizard screen appears (see Figure 4-2). 



QuickStart Wizard 
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Welcome to the QuickStart Wizard 

This wizard will: 

• Configure basic mail services 

• Configure rules to allow internal users to access web 
and FTP services 

To continue with QuickStart, click Next. 




| Next > | 



Next > Cancel 



Figure 4-2 QuickStart Wizard introduction 
Click Next to begin using the QuickStart wizard. 



QuickStart Wizard 



Configuration Options 

You have the option of configuring mail services, web and FTP services, or both. 



Please select the options .you would like to configure: 
W Configure mail ervicesj 

fy Configure rules to allow internal users to access web and FTP services 



< Back Newt > Cancel 



Figure 4-3 QuickStart Wizard Configuration Options 
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4 The Configuration Options screen provides two check boxes: 

■ If you check Configure mail services, when you click Next, the following 
screen prompts you for the IP address of your mail server. Continue at 
Step 5 on page 61. 

■ If you check Configure rules to allow internal users to access web and 
FTP services, QuickStart automatically configures these services without 
requiring any further input. If this is the only options you select, 
continue at Step 10 on page 62. 



SMTP Configuration Wizard 
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Internal Mail Server 

SMTP requests addressed to the external interfaces of the system will be directed to the internal 
mail server. 



Please enter the server's IP or DNS address: 
1 192. 246. 11 5. 4E| 



< Back I Newt > Cancel 



Figure 4-4 Internal Mail Server screen 

5 On the Internal Mail Server screen, enter the IP address or DNS name of 
your site's internal mail server. 

In specifying an internal mail server, you are indicating where SMTP mail 
addressed to the appliance's external interface will be directed. 

6 Click Next to display the Allow Internal Hosts Out screen (see Figure 4-5). 
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SMTP Configuration Wizard 



Allow Internal Hosts Out 

If selected, the wizard will create rules that allow internal systems to send mail directly to external 
mail servers. Otherwise rules that may have been previously created to support this option will be 
removed. 



If this option is not selected, any rules that allow mail to be sent to all systems will be 
deleted. 

I - All.;.'.- Inirlri-il Ho.»: Out 
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Figure 4-5 Allow Internal Hosts Out 

7 To allow all internal hosts to send mail directly to all external systems, check 
the Allow Internal Hosts Out check box. 

This allows internal systems to bypass the internal mail server. 

8 Click Next. 

The QuickStart wizard prepares the configurations you have specified. 

9 Click Next when the progress bar shows that the preparations are complete. 

10 The final Quickstart wizard screen displays, allowing you to choose when you 
want to save and reconfigure the VelociRaptor appliance. 

1 1 Make your selection and click Finish. If you choose not to reconfigure now, 
make sure that you do so at a later point. 

QuickStart firewall configuration results 

When you have finished configuring your mail server and/or Web and FTP 
services, the QuickStart wizard automatically creates the necessary rules and 
redirected services to provide mail and/or Web service to your network. 



Firewall 
SMTP Wizard 
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When QuickStart sets up your mail server, depending upon your wizard 
selections, it configures the following: 

■ A rule to allow all systems to send mail to the internal mail server 

■ A rule to allow the internal mail server to send mail to all systems 

■ A rule to allow hosts on the inside network to send mail to all systems (only if 
the Allow Internal Hosts Out check box is selected) 

■ A service redirection to redirect SMTP traffic arriving at the appliance's 
outside interface to the mail server 

In specifying an Internal mail server, you are indicating where SMTP mail 
addressed to the VelociRaptor appliance's external interface is directed. 

When QuickStart configures access to Web and FTP services, it also configures a 
rule from the inside interface to the Universe, allowing all internal systems to 
access HTTP and FTP services destined for anywhere. For setting up firewall 
configurations beyond those detailed in the QuickStart wizard, refer to the 
Symantec Enterprise Firewall and Symantec Enterprise VPN Configuration Guide, 
provided on the VelociRaptor CD-ROM as a PDF file. 

SMTP Wizard 

The SMTP Wizard provides a quick way to configure rules to provide anti- 
spamming and anti-relay protection and prevent your internal mail server from 
being used as a spam relay. 

Because Symantec Raptor Management Console automatically creates the 
necessary rules for SMTP service when you use the wizard to configure your mail 
server, you can set up anti-spamming parameters on one particular rule created 
by the wizard. The rule that allows "all systems to send mail to the internal mail 
server" should contain your anti-spam restrictions. 

To run the SMTP Wizard 

1 In the left pane, click on the icon of the appliance on which you want to 
perform the configuration. 

The Configuring your Symantec System taskpad appears in the right pane. 
If the taskpad is not visible, pull down the View menu and click Taskpad. 

2 In the right pane, start the wizard by clicking the SMTP Wizard icon. 

3 Click Next. 



SMTP Configuration Wizard 



Internal Mail Server 

SMTP requests addressed to the external interfaces of the system will be directed to the internal 



Please enter the server's IP or DNS address: 
|1S2.246.115.4E| 



< Back I Next > Cancel 



Figure 4-6 Internal Mail Server 

Enter the IP address or DNS name of your internal mail server. 
Click Next. 
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Allow Internal Hosts Out 

If selected, the wizard will create rules that allow internal systems to send mail directly to external 
mail servers. Otherwise rules that may have been previously created to support this option will be 
removed. 



If this option is not selected, any rules that allow mail to be sent to all systems will be 
deleted. 

I Allow Internal Hosts Out 



< Back Next > Cancel 



Figure 4-7 Allow Internal Hosts Out screen 

If you want to create a rules that will allow the internal systems to send mail 
directly to external mail servers, check the Allow Internal Hosts Out check 
box. 



Click Next. 
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SMTP Con Figuration Wizard 



Anti-Spam 

Define the anti-spam settings for all smtp mail . 
SMTPD and/or individual rule properties. 



You can later change these settings from ti 
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Check Sender's Address against RBL hosts: 



New RBL site: 



l~l blackholes.nnail-abuse.org 



< Back Newt > Cancel 



Figure 4-8 Anti-Spam screen 

8 On the Anti-Spam page, define the anti-spam settings for all SMTP mail. 
Check Sender's Address against DNS check box is checked by default. This 
validates the originator's envelope address by checking the format and 
ensuring the domain name is fully qualified. It also checks whether a mail 
exchange (MX) record exists for the domain name in DNS (Domain Name 
System). Email from recipients who fail the DNS-registration test is rejected. 
Check Sender's address against RBL hosts checks the sender's address 
against the addresses in the a list of known spam originators known as the 
Real-time Blackhole List (RBL). Any incoming connection attempts will be 
denied if the address is found in the RBL. 

If you check the list provided, the RBL of the Mail Abuse Prevention System 
project is used. You can also enter the domain name of another RBL provider 
in New RBL Site field and add it to the list of RBL sites by clicking Add. 

9 Click Next. 
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SMTP Configuration Wizard 



Anti-Relay 

Define the default anti-relay settings for all smtp mail rules. You can later change these settings 
from the SMTPD and/or individual rule properties. 



|7 No Source Routed Address allowed 



Specify recipient's domain below: - 



Add 



Removel 



Check against RBL- 
New site: I 



Add 



l~l relays.mail-abuse.org 



< Back Newt > Cancel 



Figure 4-9 Anti-Relay screen 

10 On the Anti-Relay page, define the default anti-relay settings for your SMTP 
mail rules. 

No Source Routed Address allowed is enabled by default. This causes SMTP 
to refuse all email to addresses specified using source-routing syntax, such as 
@hostl,@host2:user@sym antec.com. 

If you disable this check box and specify a Domain name in the Specify 

recipient's domain name field, the SMTP proxy will only accept the email if 

the final destination is one of the acceptable recipient domains. 

If you disable this check box and do not specify a recipient domain, the 

SMTP proxy will accept email for all addresses, source-routed or not. 

You can also specify an RBL site against which the address should be checked. 



11 Click Next. 



SMTP Configuration Wizard 



Check DUL 

Check sender's address against sites with dialup and dynamically assigned IP addresse 
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New site: 



Add 



l~l dialups.mail-abuse.org 
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Figure 4-10 Check DUL screen 

12 On the Check DUL screen, specify the domain name of a dial-up user list 
DUL, or check the domain name provided. 

As with the RBL, this instructs SMTP to check the sender's address against a 
list of sites with dialup and dynamically assigned IP addresses of mass 
emailers who spam using direct connections to their victims' mail servers 
without using their ISP's mail server as a relay or gateway. 
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Completing the SMTP Configuration Wizard 

The SMTP Configuration Wizard has successfully: 

/ Modified or created rules to enable your internal mail 
server to send and receive mail. 



In order for these changes to take effect, you must save and 
reconfigure. 

Would you like to save and reconfigure now? 

♦ ;T'es, save and reconfigure.; 
O No, I will save and reconfigure later. 
To exit the wizard, click Finish. 



< Back 



Finish 



Cancel 



Figure 4-11 Completing the SMTP Configuration Wizard 

13 Select the appropriate radio button to indicate whether you will save and 
reconfigure the appliance now or later, then click Finish to complete the 
wizard. 



Note: You can change the anti-spam and anti-relay settings from the 
SMTPD Proxy Properties page and/or the individual rule properties. For 
more information, see the Symantec Enterprise Firewall and Symantec VPN 
Configuration Guide. 
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VPN 



This chapter describes the use of the two tunnel wizards, S2S (site to site) and the 
VPN Client. You can use these wizards to connect to remote hosts or clients. If 
you would prefer not to use these wizards, refer to the procedures for configuring 
secure tunnels in the Symantec Enterprise Firewall and Symantec Enterprise VPN 
Configuration Guide, provided in PDF format. 



Note: In order to use VPN Client tunnels, you will need the full VPN function 
crossgrade license. 



Symantec Raptor Management Console provides two tunnel wizards: 

■ S2S Tunnel Wizard: Use this wizard to configure site to site (LAN to LAN) 
secure tunnels. 

■ VPN Client Tunnel Wizard: Use this wizard to configure tunnels to VPN 
clients. 



Note: Before you use the tunnel wizards, you may want to configure the network 
entity and security gateway building blocks selected for your tunnel, although the 
wizards do let you create these. See the Symantec Enterprise Firewall and Symantec 
Enterprise VPN Configuration Guide for Network Entity, Security Gateway, and 
Certificate configuration procedures. 



To access either of the tunnel wizards in Symantec Raptor Management 
Console 

1 Select the system icon for the VelociRaptor 1.5 appliance you are managing 
from the left pane. The Configuring your Symantec System taskpad appears 
in the right pane (see Figure 4-1). 

2 Click on the S2S Tunnel Wizard icon or the VPN Client Tunnel Wizard icon 
to begin configuring your tunnel. 
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Configure S2S tunnels using the wizard 



The VelociRaptor 1.5 appliance can create VPN tunnels to other VelociRaptor 
appliances, Symantec Gateway Security appliances, Symantec Firewall/VPN 
appliances, systems running Symantec Enterprise Firewall with VPN, or to any 
IPsec compliant device. It can also create tunnels to remote clients running 
Symantec Enterprise VPN clients with the full VPN function crossgrade license. 

Configure S2S tunnels using the wizard 

The secure tunnel configuration displayed in Figure 5-1 is an example of a site to 
site tunnel. The following pages walk you through the process of using the S2S 
Tunnel Wizard to set up the components of this tunnel. 

In Figure 5-1, there are two sites. Each site is protected by a VelociRaptor 1.5 
appliance. West is the local appliance in this example and East is the remote VPN 
server. The goal of this configuration is to establish a VPN tunnel uniting the 
subnets behind each firewall. 



Local (West) 
Security Gateway 
206.7.7.3 



VelociRaptor 
West 



Remote (East) 
Security Gateway 
206.7.7.2 



LsJ=! f Secure Tunnel \\l 



VelociRaptor 
East 



Subnet Manufacturing 

192.16B.10.0 

Netmask 
255.255.255.0 




The 
Internet 



Subnet Finance 

192.168.20.0 

Netmask 
255.255.255.0 




Figure 5-1 Site to site secure tunnel 

To begin using the wizard, from the Symantec Raptor Management Console 
Configuring your Symantec System taskpad (see Figure 5-2), click the S2S 
Tunnel Wizard icon. The Introduction screen shown in Figure 5-3 appears. 
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Figure 5-2 Configuring your Symantec System taskpad 
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Navigate through this wizard by selecting the links on the left. Each link represents 


VPN Policy 


a component of the tunnel you must configure . Once you Ve completed a given 




component, a checkmark appears next to the link. When you've finished 


Finish Setup 


configuring all the required elements, click the Finish Setup link to save your 




secure tunnel. 


Cancel Setup 






A secure tunnel configuration requires that you set up the following: 




• Local End 




• Remote End 




• VPN Policy 




Click the corresponding links on the left to begin. 



Figure 5-3 Introduction screen: S2S Tunnel Wizard 

As the Introduction screen explains (see Figure 5-3), click on the links on the left 
side of the screen to configure the corresponding component of the tunnel. It is 
suggested that you follow the links in the order they appear, starting with Local 
End. 

In the various wizards screens, you are asked to select a combination of security 
gateways, network entities, and users with which to build your tunnel. If you have 
not configured these tunnel components before beginning the wizard, you can 
create a new security gateway, network entity, or user from within the wizard. 

To configure the Local End of a S2S tunnel using the S2S tunnel wizard 

1 From the wizard Introduction page, click on the Local End link on the left 
side of the screen. 

The Local End configuration page appears (see Figure 5-4). 
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Local End 



To configure the local end of your secure tunnel, you select a local security 
gatewayf generally your Raptor system's outside interface) and the protected 
network entity that acts as the originator of the packets being sent or the final 
destination of the packets passing through the tunnel. 

1 . Select an existing local security gateway using an already configured 
security gateway entity. 

Or 

Select a local interface to create a new local security gateway. 

2. Select an existing network entity using an already configured network 
entity. 

Or 

Create a new local protected entity to serve as the originator of tunnel 
packets or the final destination for tunnel packets. 

Once your local end selections are made, click the Remote End link. 



Figure 5-4 Local End: S2S Tunnel Wizard 

Step 1 on the Local End screen gives you two ways to select the local security 
gateway: 

By selecting an existing security gateway 

By using a local interface to create a new security gateway 

For the network example in Figure 5-1, we will create the local security 
gateway using the local interface. 

Click the local interface link available in step 1 on the configuration page to 
display the pull-down menu (see Figure 5-5). 
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To configure the local end of your secure tunnel, you select a local security 
gateway( generally your Raptor system's outside interface) and the protected 
network entity that acts as the originator of the packets being sent or the final 
destination of the packets passing through the tunnel. 

1 . Select an existing local security gateway using an already configured 
: uitv M-Mr-.- v. entit-.- 
Or 



ethi 
ethO 



to create a new local security gateway. 

network entity using an already configured network 



select 

Select 
entity. 
Or 

Create a new local protected entity to serve as the originator of tunnel 
packets or the final destination for tunnel packets. 



Once your local end selections are made, click the Remote End link 



Figure 5-5 Local interface pull-down menu 

3 From the interfaces available in the pull-down menu, select the outside 
interface, ethO, to become your local security gateway This displays the New 
Security Gateway dialog box. 

4 In the dialog box, type a name for your gateway Our example uses West (see 
Figure 5-6). 



New Security Gateway T 



Name: 
pest 

Network Interface: 
|ethO 

OK | Cancel 



Figure 5-6 New Security Gateway dialog box: local end 

5 Click OK; your new security gateway will be used as the local security 
gateway. 
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Step 2 of the Local End screen gives you two ways to specify the originator or 
the endpoint for tunnel packets: 

■ By selecting an existing network entity 

■ By creating a new local protected entity 

In this case, we will create a new entity to represent our manufacturing 
subnet shown in Figure 5-1. 

From the second part of step 2, select the Create a new local protected entity 
link to display a pull-down menu of allowed entity types (see Figure 5-7). 
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To configure the local end of your secure tunnel, you select a local security 
gatewayC generally your Raptor system's outside interface) and the protected 
network entity that acts as the originator of the packets being sent or the final 
destination of the packets passing through the tunnel. 

1 . Select West using an already configured security gateway entity. 
Or 

Select a local interface to create a new local security gateway. 

2. Select an existing network entity using an already configured network 
entity. 

Or 

T I to serve as the originator of tunnel packets or the final 
tunnel packets. 



Once yo 



Host 
Subnet 
Group 



;lections are made, click the Remote End link . 



Figure 5-7 Local protected entity pull-down menu 

7 In this example, we select Subnet from the pull-down menu to create the 
192.168.10.0 manufacturing subnet displayed in Figure 5-1. A New Subnet 
dialog box appears (see Figure 5-8). 
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New Subnet 
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Name: 
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Enter the IP address of your new subnet. A network mask 
will be generated for you automatically. 
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□ K 



Cancel 



Figure 5-8 New Subnet dialog: local end 

8 In the dialog box, type a Name for your subnet entity, in this case, 
manufacturing, and type the IP address of the subnet, in this case 
192.168.10.0. 

9 Click OK; your subnet entity will be used as the local network entity. 
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VPN Policy 


To configure the local end of your secure tunnel, you select a local security 
gateway( generally your Raptor system's outside interface) and the protected 
network entity that acts as the originator of the packets being sent or the final 
destination of the packets- passing through the tunnel . 


Finish Setup 


1 . Select West using an already configured security gateway entity. 
Or 

Select a local interface to create a new local security gateway. 


Cancel Setup 




2. Select manufacturing using an already configured network entity. 
Or 

Create a new local protected network entity to serve as the originator of 
tunnel packets or the final destination for tunnel packets. 






Once your local end selections are made, click the Remote End link. 



Figure 5-9 Completed Local End screen: S2S Tunnel Wizard 
The local end of your secure tunnel is now configured. 



To configure the Remote End of an S2S tunnel using the S2S Tunnel Wizard 

1 Click the Remote End link on the left side of the screen. 

The Remote End screen is displayed with a check mark beside the Local End 
link to indicate completion, as shown in Figure 5-10. 
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To configure the remote end of your secure tunnel, you select a remote security 


Remote End 


gateway and the protected network entity that acts as the originator of the 


packets being sent or the final destination of the packets passing through the 




tunnel. 


VPN Policy 




Finish Setup 


1 . Select an existing remote security gateway using an already configured 




security gateway entity. 


Cancel Setup 


Or 




Create a new remote security gateway for your tunnel. 




2. Select an existing network entity using an already configured network 




entity . 




Or 




Create a new remote protected entity to serve as the originator of tunnel 
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Once your remote end selections are made, click the VPN Policy link. 



Figure 5-10 Remote End Screen: S2S Tunnel Wizard 

2 Step 1 on the Remote End screen gives you two ways to select the remote 
security gateway: 

By selecting an existing remote security gateway entity 
By creating a new remote security gateway entity 

For the network example in Figure 5-1, we will create a new remote security 
gateway for the appliance called East by selecting the Create a new remote 
security gateway link available in step 1. The New Security Gateway dialog 
box appears (see Figure 5-11). 
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^ame: 




East 


Enter the IP address or a DNS resolvable name for your 
new Security Gateway. 




206.7.7.2 




Authentication method 

r* Certificate 






C Shared Key: | 






Note that both gateways of a tunnel must be using the same 
authentication method (and the same shared secret if using it). 






| OK | Cancel | 



Figure 5-11 New Security Gateway dialog box: Remote End 

3 In the dialog box, type a Name and an IP address for your remote gateway. In 
this case, East and 206.7.7.2. Also, decide which authentication method is to 
be used (see Figure 5-1 1). In this example, we have selected Certificate for 
authentication. 

For details on authentication, see the Symantec Enterprise Firewall and 
Symantec Enterprise VPN Configuration Guide. 

4 Click OK; the name of your new security gateway will be used as the Remote 
Security Gateway. 

5 Step 2 of the Remote End screen gives you two ways to specify the remote 
originator or endpoint for tunnel packets: 

By selecting an existing network entity 

By creating a new protected network entity 

In this case, we will create a new entity to represent the remote finance subnet 
displayed in Figure 5-1. 

From the second part of step 2, select the Create a new remote protected 
entity link. A pull-down menu appears (see Figure 5-12). 
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To configure the remote end of your secure tunnel, you select a remote security 
gateway and the protected network entity that acts as the originator of the 
packets being sent or the final destination of the packets passing through the 
tunnel. 


Finish Setup 


1 . Select using an already configured security gateway entity. 
Or 

Create a new remote security gateway for vour tunnel. 

2. Select an existing network entity usina an already configured network 
entity. 

Or 


Cancel Setup 






Subnet^] to serve as the originator of tunnel packets or the final 






H □ st I tunnel packets . 










Once yo 


Group l selections are made, click the VPN Policy link. 



Figure 5-12 Remote protected entity pull-down menu 

6 From the pull-down menu, select Subnet to create the 206.7.7.2 finance 
subnet displayed in Figure 5-1. The New Subnet dialog box appears (see 
Figure 5-13). 
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New Subnet 



Name: 



finance 



Enter the IP address of your new subnet. A network mask 
will be generated for you automatically. 



1192.1 68. 20. C( 



OK 



Cancel 



Figure 5-13 New Subnet dialog box: Remote End 

7 In the dialog box, type a Name for your subnet entity and the IP address of 
the subnet, in this case finance and 192.168.20.0. 

8 Click OK; your new subnet entity will be used as the remote network entity. 
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To configure the remote end of your secure tunnel, you select a remote security 
gateway and the protected network entity that acts as the originator of the 
packets being sent or the final destination of the packets passing through the 
tunnel. 


Finish Setup 


1 . Select East, using an already configured security gateway entity. 
Or 

Create a new remote security qatewav for your tunnel. 


Cancel Setup 




2. Select finance using an already conficiured network entity. 
Or 

Create a new remote protected entity to serve as the originator of tunnel 
packets or the final destination for tunnel packets. 






Once your remote end selections are made, click the VPN Policy link. 



Figure 5-14 Completed Remote End screen: S2S Tunnel Wizard 
The remote end of your secure tunnel is now configured. 

To configure the VPN Policy of a S2S Tunnel 

1 On the left side of the screen, Click on the VPN Policy link to display the 
VPN Policy configuration page. 

A check mark appears beside the Remote End link to indicate completion 
(see Figure 5-15) 
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The VPN policy you select determines the privacy and integrity algorithms used for 
encrypting and decrypting packets passing through your secure tunnel. There are 
several pre-configured policies for you to choose from depending on the level of 
security you require. 


Finish Setup 


1 . Select a pre-configured VPN policy for vour new tunnel. 


Cancel Setup 


Once your VPN policy selection is made, if checkmarks appear beside the Local 
End and Remote End links, you can click the Finish Setup link to complete and 
save the secure tunnel. If you have made any configuration errors, the wizard 
will notify when you attempt to Save the tunnel in the Finish setup page . You can 
go back to any link and make the necessary corrections. 



Figure 5-15 VPN Policy screen: S2S Tunnel Wizard 

The VelociRaptor 1.5 appliance ships with several pre-configured VPN 

policies. 

From step 1 in this VPN Policy screen (see Figure 5-15), click the VPN policy 
link. 

The VPN policy pull-down menu appears (see Figure 5-16). 
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The VPN policy you select determines the privacy and integrity algorithms used for 
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End and Remote End links, you can click the Finish Setup link to complete and 
save the secure tunnel. If you have made any configuration errors, the wizard 
will notify when you attempt to Save the tunnel in the Finish setup page . You can 
go back to any link and make the necessary corrections. 



Figure 5-16 VPN policy pull-down menu 

3 From the pull-down menu, select an existing policy. 

In this case, we are selecting the pre-configured ike_default_crypto_strong 
policy. Once your tunnel is configured, you can exit the wizard and access the 
property page for this VPN policy to view its components. 



Caution: The VPN policy must be the same for both ends of the tunnel. 
Administrators must exchange this information. Refer to the Symantec 
Enterprise Firewall and Symantec Enterprise VPN Configuration Guide for 
details. 



To finish the configuration of the S2S tunnel 

1 On the left side, click the Finish Setup link. 

The Finish Setup screen is displayed, with a check mark beside the VPN 
Policy link to indicate that the VPN Policy configuration is complete. 
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Here are your current selections. 






Remote End 


Local Security Gateway West 
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VPH Policy 0 


Local Network Entity manufacturing 


192.1 68.10.0 




Finish Setup 


Remote Security Gateway East 


206.7.7.2 




Remote Network Entity finance 


192.168.20.0 




Cancel Setup 


VPN Policy ike_defauft_crypto_strong 








Click on Finish to accept the changes or Saue to save and reconfigure. If you 
need to make any changes, click on the left pane links. 






Although this wizard creates the secure tunnel and all the necessary tunnel 
components for you, once you've completed the wizard, you can access the 
property pages for all the items you've selected and make changes. 






Name: |manufatfuringtofinance Finish | Save | 





Figure 5-17 Finish Setup: S2S Tunnel Wizard 

The Finish Setup screen (see Figure 5-17) displays the selections you have 
made in the previous screens. If you have failed to make a required selection, 
that item appears with the word "undefined" beside it in the Finish Setup 
screen and that link has no check mark beside it on the left side of the screen. 
If you were unable to complete any of the screens up to this point, simply 
click on that screen's link in the left pane to go back. 

2 The Finish Setup screen assigns a default name to your tunnel. 

In the Name field, enter your own name for the secure tunnel before you 
save. 

In Figure 5-17, we have named the tunnel manufacturingtofinance. 

3 If each left pane item has a check mark beside it, you can now click the Save 
button to save your secure tunnel configuration. 

If there are any errors in your configuration, a message notifies you that the 
configuration is invalid. You can then click on any of the left side links to 
make the necessary corrections. 

When you have completed and exited the tunnel wizard, you can view your 
configuration in Symantec Raptor Management Console by expanding the 
Virtual Private Networks folder, clicking on the Secure Tunnels, and then double 
clicking the entry for the tunnel you created (see Figure 5-18). 
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You can also open the property pages for the entities and the tunnel you have just 
created. From those property pages, you can check your configuration and make 
any edits, if necessary. Refer to the Symantec Enterprise Firewall and Symantec 
Enterprise VPN Configuration Guide for more detailed tunnel configuration 
information. 
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Figure 5-18 Configured S2S secure tunnel in Symantec Raptor Management 
Console 

You must configure both ends of the tunnel. Run the S2S Wizard on the remote 
end of the tunnel, and specify the setup information in the reverse manner as the 
procedure in Configure S2S tunnels using the wizard on page 72. For example, 
local would be East and finance and remote would be West and manufacturing. 



Configure VPN Client tunnels using the wizard 

The VPN client tunnel configuration displayed in Figure 5-19 is an example of a 
secure tunnel set up between a LAN behind a VelociRaptor 1.5 appliance and a 
VPN client in the field. The following pages walk you through the process of 
using the VPN Client Tunnel Wizard to set up the components of this tunnel. 

In Figure 5-19, West is once again our local VPN Server in this example and 
JSmith is the user name for our Symantec Enterprise VPN Client (SEVPN). The 
goal of this configuration is to establish a VPN uniting the subnet behind the 
local VelociRaptor 1.5 appliance with the SEVPN client JSmith. 
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Figure 5-19 VPN Client secure tunnel 
To configure a VPN Client tunnel 

To begin using the wizard, from the Symantec Raptor Management Console 
Configuring your Symantec System taskpad (see Figure 4-1), click the VPN 
Client Tunnel Wizard icon. The Introduction screen shown in Figure 5-3 
appears. 

The wizard screens as well as the configuration procedures for both the S2S and 
VPN Client Tunnel Wizards in our examples are identical with one exception, 
configuring the Remote End. Because the Local End in this second example is the 
same as in the first example, only the differing Remote End VPN Client 
configuration procedure is detailed in the following pages. For more information 
see Configure S2S tunnels using the wizard on page 72. 

To configure the Remote End of the VPN Client Tunnel 

1 Click on the Remote End link on the left side of the screen. The Remote End 
configuration page appears (see Figure 5-20). 
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The Remote End screen of the VPN Client Tunnel Wizard gives you three 
ways to specify the single entity that will serve as both the remote security 
gateway and the tunnel endpoint. 

By selecting an existing IKE- enabled user 

By creating a new IKE-enabled user 

By selecting an existing user group 



VPN Client Tunnel Wizard 



^ Symantec. 



Introduction 
Local End 
Remote End 
VPN Policy 
Finish Setup 
Cancel Setup 




Remote End 



To configure the remote mobile end for your secure tunnel, you select an IKE- 
enabled user or user group to act as both the remote security gateway and the 
tunnel endpoint. 

1 . Select an existing IKE-enabled user using an already configured user. 
Or 

Create a new IKE-enabled mobile user for your tunnel . 
Or 

Alternatively, if you have already configured user groups in SRMC, you 
can select an existing user group to serve as both the remote security 
gateway and tunnel endpoint. 

Once your remote end selection is made, click the VPN Policy link. 



Figure 5-20 Remote End screen: VPN Client Tunnel Wizard 

For the network example in Figure 5-19, we are creating a new VPN Client 
user named Jsmith. 

From the Remote End VPN Client Wizard page (see Figure 5-20), click the 
Create a new IKE-enabled VPN Client user link available in step 1 . The New 
IKE-enabled User dialog box appears (see Figure 5-21). 
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New 



Name 
|jSmith 

An authentication method must be specified for a mobile user. 
You can select using Certificate or Shared Secret or both. 

|7 Certificate 

17 Shared Key:|0xDA0SEADSASDF8ASD09ftuSSDFLQJE9C 



OK Cancel 



Figure 5-21 IKE-enabled User dialog box 

3 In the New IKE-enabled User dialog box, type the Name of the VPN Client 
user {JSmith). 

4 Select the authentication method(s) this user will use. You can select 
Certificate, or Shared Key, or both. 

If you select Certificate, you must create an Entrust Certificate and 
provide it to the user. See the section on configuring certificate 
authentication in the Symantec Enterprise Firewall and Symantec 
Enterprise VPN Configuration Guide. 

If you select Shared key, enter a shared key of 20 or more printable 
characters. Record the shared key so that you can provide it to the VPN 
Client user. 

This example shows the use of both a certificate and shared key. 

5 Click OK. 

Your new user (JSmith) is automatically entered in the first part of step 1 (see 
Figure 5-22). 



E-enabled User 
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Remote End £ 


Local Security Gateway West ab.c.2 
Local Network Entity manufacturing 




VPH Policy 0 




Finish Setup 


Remote Sepurity Gateway N/A 
FerTiote Met ■■ on Er.trt . Or.fli, 




Cancel Setup 


VPN Policy ike_default_crypto_strong 

Click on Finish to accept the changes or Saue to save and reconfigure. If you 
need to make any changes, click on the left pane links. 

Although this wizard creates the secure tunnel and all the necessary tunnel 
components for you, once you've completed the wizard, you can access the 
property pages for all the items you've selected and make changes. 






Name: |JSmithWestVPN Finish | Save | 





Figure 5-22 Finish Setup screen: VPN Client Tunnel Wizard 

Once you have made your remote VPN Client selection, click the VPN Policy 
link to continue configuring your tunnel. The VPN Policy configuration 
procedure is the same as in the S2S example. Refer to the steps after the 
figure VPN Policy screen: S2S Tunnel Wizard on page 85 to continue. 




Routes and DNS 



Routing is the process of choosing a path over which to send packets of 
information. For the security gateway to function properly, specific routes must 
be defined in the Routing Tables. Network routes must be configured properly to 
allow information to move from machine to machine. 

This chapter explains how to configure routes and set up the name service using 
the dynamic name server (DNS) proxy. Make sure you have a solid working 
knowledge of DNS before proceeding, as well as a list of the names and IP 
addresses of all computers at your site, both in front of and behind the 
VelociRaptor appliance. 

The configuration done in this chapter includes only the most basic name service 
features. Refer to the Symantec Enterprise Firewall and Symantec Enterprise VPN 
Configuration Guide for more advanced features. 

Setting up routes 

Your TCP/IP Protocol must be configured properly for VelociRaptor appliance 
to work. This includes setting static routes (or default gateways) on your 
VelociRaptor appliance and your other computers. 

Routes are necessary if you have a routed network behind the VelociRaptor 
appliance. The VelociRaptor appliance must be able to find the appropriate 
router through which to send packets. 

■ A routed network has more than one subnet behind the VelociRaptor 
appliance inside network interface. Other networks are behind routers or 
gateways. 

■ A flat network has only one subnet behind the VelociRaptor appliance. There 
is no router or gateway system behind the appliance. 
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Figure 6-1 A Routed network example 

In the example network in Figure 6-1, default route settings for the internal 
network are as shown in Table 6-1. 

Table 6-1 Default route settings 



Machine 


Default route settings 


news 


169.254.1.2 (VRauxl interface) 


web 


169.254.1.3 (VRauxl interface) 


server 


192.168.1.17 (VR inside interface) 


wkst 192.168.1.1 


192.168.1.17 (VR inside interface) 


wkst 192.168.1.2 




wkst 192.168.1.3 
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Table 6-1 Default route settings (Continued) 



Machine Default route settings 



wkst 192.168.3.10 
wkst 192.168.3.11 
wkst 192.168.3.12 


192.168.3.85 (inside router) 


wkst 192.168.5.2 
wkst 192.168.5.3 
wkst 192.168.5.4 


192.168.5.1 (inside router) 


www 


169.254.0.1 (Internet router) 



Specifying the default gateway 

For most installations, the default route will be your Internet router. In the 
example network shown in Figure 6-1, the VelociRaptor appliance host must 
have the default route set to 169.254.0.254. 

When you first configure the VelociRaptor appliance using the setup wizard, you 
enter the default gateway information on the first screen. If for some reason, the 
default gateway was not specified then, you can specify it by accessing the 
VelociRaptor appliance Properties page. 

To specify the default gateway 

1 From the left pane of the Symantec Raptor Management Console, select the 
icon of the VelociRaptor appliance you are configuring. 

2 From the Action menu, select Properties. 
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The VelociRaptor appliance Properties page displays 



VRUNEFIVE (Connected) Properties 



General I Status | Paths | Passwords | Date/Time System | License | 

The current system name, domain name and default gateway 
4)^f? address. 

System Name: 
| VP, ONE FIVE 
Domain Name: 
(yourdoi 



domam.com 



Default Gateway Address: 
|169.254.0.254| 



UPS Support: 



t 5 " Stop r Start 



Front Panel Keypad Locking: C Disable f* Enable 





OK 


Cancel 



Help 



Figure 6-2 Route properties window 

3 Select the System tab and enter the default gateway information, as shown in 
Figure 6-2. 

4 Click OK to save your updated default gateway information. 

You must save and reconfigure the VelociRaptor appliance for your changes 
to take effect. 

5 Right-click in the left pane. 

6 Choose All Tasks>Save and Reconfigure. 



Creating static routes 

Static routes are necessary if you have a routed network behind the VelociRaptor 
appliance. For the routed network to work properly, the router or routers must 
be properly configured. Use the ping command to check the ability of computers 
on routed networks to connect to the VelociRaptor appliance. It is recommended 
that you use contiguous networks to reduce the number of static routes required. 
The network in Figure 6-1 requires a route for the 192.168.3.0 and 192.168.5.0 
networks. 
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To create a route 

1 From the left pane of the Symantec Raptor Management Console, select the 
Routes icon, right mouse click and choose New > Route. 

The Route Properties window opens (see Figure 6-3). 



VRUNEFIVE\Route\ Properties (New) 



Route | 

Please specify the route properties. 



Destination Address: |192 1S8 3 0 



Netmask: 1 255.255. 255.0 



Gateway Address: 1192.168.1.62 



OK 



Cancel 



Help 



Figure 6-3 Route Properties (New) screen 

2 Type the Destination network. In our example, it is the network behind the 
inside router: 192.168.3.0. 

3 Type the appropriate netmask. In our example: 255.255.255.0. 

4 In the Gateway Address field, type the address of the router. 

For example, 192.168.1.62. This is the router address on the same network as 
the VelociRaptor appliance inside interface. 

5 Click OK to save route information and close the Route Properties window. 
Any connection for an address in the range of 192.168.3.0 to 192.168.3.254 is 
directed to the router (192.168.1.62). 

You would repeat this procedure to create a static route for the 192.168.5.0 
subnet. 



Configure the DNS proxy 



The DNS proxy provides a simple way to handle name service at your site. It does 
not provide private information to outside users. 
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This chapter uses the xyz.com network (shown in Figure 6-1) as a typical example 
of how to configure the DNS proxy. It includes only basic functionality. The 
example network has a VelociRaptor appliance that does all the name resolution 
for this site. There is a protected news server on a service network. The main 
networks are the private protected machines. 

An alternative to using the DNS proxy by itself to provide all name resolution is 
to use an inside name server for inside name requests. The DNS proxy still deals 
with outside requests. This is called a dual-level DNS. 



Caution: You should understand DNS before attempting to configure the DNS 
proxy. See the Symantec Enterprise Firewall and Symantec Enterprise VPN 
Configuration Guide for information on DNS. 



Provide private DNS file address statements 

The DNS private entries are stored in the Linux DNS entries hosts file, and the 
public entries are stored in the hosts. pub file. Use the Symantec Raptor 
Management Console to specify the DNS entries as Public or Private. Private 
machines are intended for use by inside users only. Their names and IP addresses 
are kept secret from the outside interface to help prevent attack. 

You can create the DNS entries using the Symantec Raptor Management Console 
DNSD (Dynamic Name Server Daemon) Properties window. For more 
information, see the Symantec Enterprise Firewall and Symantec Enterprise VPN 
Configuration Guide. 

To create the DNS entries using the Symantec Raptor Management Console 

1 From the left pane of the Symantec Raptor Management Console, expand the 
Base Components folder in the Symantec Raptor Management Console. 

2 Select the DNS Records icon. 

The existing DNS entries appear in the right pane (see Figure 6-4). 
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Figure 6-4 Symantec Raptor Management Console hosts list 

3 To create a new host, right-click the DNS Records icon and choose New > 
Host. 

The DNS Record Properties page appears (see Figure 6-5). 



VRONEFIVE\DNS Record\ Properties (New) 



DNS Record | 



S pecify the parameters, associated with the chosen DNS 
record type. 



Accessibility: 

■Type 

C Name Server 
C Forwarder 
C Authority 



T Private Public 



C Mail Server 

F Host 

C Recursion 



C Root Server 
C Interface 
C Subnet Map 



Network Address: 



Alias(esJ: 



Description: 



Domain(s) Served: 



Help 



Figure 6-5 DNS Record Properties page 
4 Under Accessibility, check whether the host is Private or Public. 



If you select Private, the data you typed is added to the hosts file. If you 
select Public, the data is added to the hosts.pub file. (See Provide hosts. pub 
file information on page 101 for information on the hosts.pub file). 

5 Under Type, check Host if it is not already selected. 

When you select a Type, the fields in the DNS Record Property page that 
require data entry become available. 

6 In the Name field, type a fully qualified host name. 

7 In the Network Address field, type the IP address for the host. 

8 In the Alias(es) field, type the host's nickname(s). 

You can type several nicknames at once into this field, separating each by a 
space. 

9 In the Description field, type a Description then click OK. 

The information you enter is written to the hosts file. The hosts file 
includes lines with an address and name. More than one name can be 
included for an address. 

10 Click OK to close the DNS Record Properties page. 

The entries for the 192.168.1.0 and 192.168.3.0 subnets in the hosts file for the 
example network in Figure 6-1 would look like this. Items are separated by one or 
more spaces. 

192.168.1.17 VelociRaptor.xyz.com VelociRaptor 
192.168.1.22 server.xyz.com server 

192.168.1.1 wkstl.xyz.com 

192.168.1.2 wkst2.xyz.com 

192.168.1.3 wkst3.xyz.com 

192.168.3.10 wkstlO.xyz.com 

192.168.3.11 wkstll.xyz.com 

192.168.3.12 wkstl2.xyz.com 



Note: Aliases are acceptable, as long as every line has a fully qualified host name. 

Your hosts file should also contain the following line, specifying the localhost (or 
loopback) address. 

127.0.0.1 localhost.xyz.com localhost 

The hosts file is the first place where the DNS proxy looks for an address when 
the request comes from a private system. You can add any other addresses to this 
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file. For example, you might want to add outside machines from your network, as 
follows: 

169.254.1.2 news.xyz.com news 

169.254.1.3 web.xyz.com www 

You can also add frequently used hosts on the Internet to this file. Doing so can 
skip several name request steps. 

Provide hosts. pub file information 

The hosts.pub file provides host-to-IP address and address-to-host mappings for 
public systems. These are computers at your site that are intended for use by both 
inside and outside users. 

The \etc\hosts.pub file uses the same format as hosts. Each line must include an 
address and a fully qualified name. 

The following examples show entries that might appear in the hosts.pub file for 
the sample network in Figure 6-1. Again, a fully qualified host name is required 
on each line. 

169.254.1.2 news.xyz.com 

169.254.1.3 web.xyz.com 
169.254.0.1 VelociRaptor.xyz.com 

Unlike information in hosts, information on systems in the hosts.pub file is 
available to both public and private networks. 



Note: As in hosts, aliases are acceptable, as long as every line has a fully qualified 
host name. 



Verify connectivity 

On a system on the inside network, use the MS-DOS command ping to check 
whether your network is set up properly. Verify that you can connect to 
computers on the Internet and on each of your subnets. 

The ping command uses Internet Control Message Protocol (ICMP) echo 
packets to see if you can connect to a computer. You can ping using either name 
or address. 

Use ping in a command prompt window on your machine running Symantec 
Raptor Management Console. The syntax for ping is: 

ping IP address or ping computer name 



If you ping by name, the ping utility first attempts to find the address. If it cannot 
find the address, because of DNS or WINS problems, ping responds with "bad IP 
address." If it finds the address, ping proceeds. 

If you ping by address, ping sends a request for a response. If the computer is 
working and if you can reach it, you receive reply messages. If the computer is 
down or something is wrong with the network between you and the other 
computer, ping tells you the computer is unreachable or that the request has 
timed out. 

The following section refers to the routed network example in Figure 6-1 and uses 
the computer names shown in Table 6-2. 

Table 6-2 Routed network example computer names 



IP address 


Computer name 


192.168.1.1 


wkstl 


192.168.1.2 


wkst2 


192.168.3.12 


wkstl2 



■ From a computer behind the appliance, such as wkstl in our example, ping 
a computer on each subnet behind the VelociRaptor appliance as follows: 

ping wkst2.xyz.com 

ping wkstl2.xyz.com 

Both of these computers should be reachable. If either of these commands 
fails, try again, using addresses: 

ping 192.168.1.2 

ping 192.168.3.12 

If the ping command succeeds with the address, you have a name resolution 
problem. 

If they are still unreachable, you have a networking problem. Make sure that 
wkst2 and wkstl 2 are on and connected to the network. Check the default 
gateway setting on wkstl (it should be set to the inside interface of the 
VelociRaptor appliance). 

If wkst2 is reachable but wkstl2 is not, your static route from VelociRaptor 
appliance has not been established or your router is not configured properly. 
Also, check your default gateway setting on wkstl2. 
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If you can not ping an address behind a router, ping both addresses of the 
router. If one is reachable but the other is not, you have a routing 
configuration problem. 

■ Test the news server with this command: 

ping news . xyz . com 

■ From an internal machine like wkstl, ping a computer outside your network. 

ping www . Symantec . com 

The request should return an IP address for the requested name. The ping 
itself will be "timed out" or "unreachable" because ping is blocked by the 
VelociRaptor appliance. However, when the ping utility requests an IP 
address, DNS should be able to find it. 

If ping does not get an IP address for the outside name, you have a problem 
with outside name service. 

If you cannot receive an IP address for an outside name, attempt the same 
ping command from an outside machine (www.xyz.com in our example). If 
it does not work from there, the problem is more likely in your Internet 
router or your ISP's name server. 
Check to see that your default gateway is set properly. 



104 



Routes and DNS 
Verify connectivity 



Chapter 



Management Console 



The Symantec Raptor Management Console is the graphical user interface for 
managing and monitoring all functions on the VelociRaptor appliance. 

Once you have connected to the VelociRaptor appliance, you can use the 
Symantec Raptor Management Console to edit information you entered during 
the initial VelociRaptor appliance configuration, such as passwords and license 
key data, and all other configuration tasks. Because the communications between 
the Symantec Raptor Management Console and the VelociRaptor appliance are 
encrypted, you can securely manage the appliance from a remote location. 

You can manage several appliances from a single Symantec Raptor Management 
Console and also manage a single appliance from several Symantec Raptor 
Management Consoles. You can also manage a mixture of VelociRaptor 
appliances, Symantec Enterprise Firewalls, and Symantec Enterprise VPNs from 
the same Symantec Raptor Management Console. 

The VelociRaptor appliance comes with an additional management utility called 
SRL (Secure Remote Login), which offers an encrypted secure communication to 
the VelociRaptor appliance at the command line level, to allow remote access to 
the operating system if needed. The Symantec Raptor Management Console is 
designed to provide access to all needed operating system configurations. See Use 
secure remote login on page 119 for further details on SRL. 

Monitor VelociRaptor appliance 

Before you move into more advanced management functions, it is important to 
understand the monitoring capabilities of the VelociRaptor appliance. The 
Symantec Enterprise Firewall and Symantec Enterprise VPN Reference Guide deals 
with monitoring in detail. 
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The Logfiles window allows you to view logfiles that contain information about 
the VelociRaptor appliance's operation. To access this window, click on Logfiles 
in the Symantec Raptor Management Console root directory. 

Table 7-1 lists a few messages you may encounter after setup. For a full list of 
messages, see the log file messages appendix of the Symantec Enterprise Firewall 
and Symantec Enterprise VPN Reference Guide. A number of common problems 
are discussed in depth in Knowledge Base, accessible from the Symantec 
Customer Service Support website at http://www.symantec.com/techsupp/. 



Table 7-1 


Setup 




Number 


Message 


Explanation 


120 


TYPE Info: informational_message 


This message logs information, such 
as, license status and DNS problems. 


121 


statistics: duration=(seconds) 
user=(user) auth=(auth type) 
sent=(amount) rcvd=(amount) 
srcif=(source interface) src=(source/ 
port) dst=(dest/port) op=(option) 
arg— (file) result— (result) 
proto=(protocol) notes 


This message logs statistics about a 
connection. Elements are optional 
but occur in this order. Info 121 can 
be used by custom applications for 
accounting. 


501 


access from incoming to outgoing 
(rule): (time period) 


Suspicious Activity Monitoring has 
been triggered. While heavy access 
can indicate an attack, soon after you 
install, it is more likely that your 
thresholds are too low on heavily 
used services (http in particular). 


516 


CPU Temperature is low/high 


This message indicates that the 
VelociRaptor appliance temperature 
is slightly lower or higher than the 
normal operating temperature. 


616 


CPU Temperature is too low/high 


This message signals that the 
VelociRaptor appliance temperature 
has reached a critical level. 



Managing passwords 

Once the VelociRaptor appliance is connected (see Connect to VelociRaptor 1.5 
appliance on page 48), you can use Symantec Raptor Management Console to 
make changes to the information you entered and the passwords you made note 
of during the initial setup procedure. For more information about connecting to 
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the VelociRaptor appliance see Initial network configuration procedure on page 
35. 



Note: Remember to document and save your passwords. Passwords for the 
Symantec Raptor Management Console, Root, and Secure Remote Login (SRL) 
may be requested during future configuring of the VelociRaptor appliance. You 
will need to know these passwords to do a configuration Backup and Restore. 
During the Restore process, the last Symantec Raptor Management Console 
password set before backup password is restored. The Root and SRL passwords 
are not reset to their original state. 



Remote management password 

You can change the VelociRaptor appliance's remote Symantec Raptor 
Management Console password from the Remote Management Password 
property page. 

To specify a Symantec Raptor Management Console password 

1 In the left pane of the Symantec Raptor Management Console, expand the 
Base Components folder. 

2 Select the Remote Management Passwords icon. 

3 Right-click on the Remote Management Passwords icon and choose New > 
Remote Management Password. 

The Remote Management Password Properties page opens, see Figure 7-1. 
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VRONEFIVE'iRemote Management Password , Properties (New) 



Remote Management Password | 

Specify remote management type, system and password. 



-Remote Management Type — 

(* Remote Management C Log Event Submission C Intrusion Detection 
C Logfile Retrieval (~ Read Only 

Intrusion Detection — 



Port Number: J 426 Blacklist Timeout [minutes): pj"440~ 



-Remote Management System- 



Remote Management Password - 



Verify Password 





OK 1 


Cancel 



Help 



Figure 7-1 Remote management passwords 

4 In the Remote Management Type section, select the Remote Management, if 

it is not already selected. 

5 In the Remote Management System field, type the IP address of the 

Windows NT system running the managing Symantec Raptor Management 
Console. 

6 Type your new password into the Remote Management Password field. 

7 Type the new password again into the Verify Password field. 

8 Click OK. 



Root and secure remote login passwords 

You can change the VelociRaptor's root password and your Secure Remote Login 
(SRL) password from the System Properties page. 
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To change the Root and SRL passwords 

1 Connect to the VelociRaptor appliance, see Connect to VelociRaptor 1.5 
appliance on page 48. 

2 Select the icon of the connected appliance in the left pane. Right-click the 
icon and choose Properties. The appliances Properties page opens, see Figure 
7-2. 



VRONEFIVE (Connected) Properties 



5 
6 



General | Status | Paths : SswoH | Date/Time j System | License | 
Jjp Change Passwords 

Change Root Password: 
Password: p 

Verify: 

Change Secure Remote Login Password: 

Password: [" 

Verify: 





OK 


Cancel 



Help 



Figure 7-2 System Properties page, Password tab 
Select the Passwords tab. 

You can change your Root password and/or your SRL password here. 

In the Root password or Secure Remote Login password section of the screen 
type a new password in the Password field. 

In the Verify Password field, type the new password again. 

Click OK. 



See Use secure remote login on page 119 for instructions on Secure Remote 
Login. See the Symantec Enterprise Firewall and Symantec Enterprise VPN 
Reference Guide for further information. 
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Change system settings 



You can change the VelociRaptor appliance's system settings from Symantec 
Raptor Management Console. 

To change the system settings 

1 Connect to the VelociRaptor appliance, see Connect to VelociRaptor 1.5 
appliance on page 48. 

2 In the left pane, select the icon of the connected appliance. 

3 Right-click the icon and choose Properties. 

The appliance's properties page opens. 

4 Select the System tab, see Figure 7-3. 

Here you can change the VelociRaptor appliance system name, the domain 
name, and the default gateway address. You can also select UPS 
(Uninterruptible Power Supply) support and enable or disable front keypad 
locking. See Front panel keypad locking on page 121 for more information. 



VRONEFIVE (Connected) Properties 



General | Status | Paths | Passwords | Date/Time System | License | 

The current system name, domain name and default gateway 
address. 

System Name: 
|VR0NEFIVE 
Domain Name: 
jyourdo 



domain.com 



Default Gateway Address: 
|1 69.254.0.2541 



UPS Support: 



F Stop C Start 



Front Panel Keypad Locking: C Disable f* Enable 





OK 


Cancel 



Help 



Figure 7-3 System settings 
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5 Make any necessary changes. 

6 Click OK. 

You must save and reconfigure the VelociRaptor appliance for your changes 
to take effect. 

7 In the left pane, click Symantec Raptor Management Console. 

8 Select All Tasks > Save and Reconfigure. 



Change the date and time 



You can change the VelociRaptor appliance's date and time through the 
Symantec Raptor Management Console. 

To change the date and time 

1 Connect to the VelociRaptor appliance, see Connect to VelociRaptor 1.5 
appliance on page 48. 

2 In the left pane, select the appliance system icon of the connected appliance. 

3 Right-click the icon and choose Properties. 

The appliance's properties page opens. 

4 Select the Date/Time tab, see Figure 7-4. 
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VRONEFIVE (Connected) Properties 



General | Status | Paths | Passwords Date/Time | System | License | 



Please set date, time and time zone as necessary. 



Lh-ang-r C 1 and f ir.-.r- 



Time and C 
Timezone: 



1 03/1 5/2002 13:34 






|US/Eastern 







OK | 


Cancel 



Help 



Figure 7-4 Change date and time 

5 Check the Change Date and Time checkbox to change the current settings. 

6 From the Time and Date and Timezone pull-down fields, select the 
appropriate settings. 

7 Click OK when finished. 
Changes take effect immediately. 



Define a license key 



If necessary, you can enter a license key for the first time or change the current 
VelociRaptor appliance license key through Symantec Raptor Management 
Console from the license tab of the appliance's properties page. For further 
license key information, see Get your license key on page 40. 

To enter or change your license key 

1 In the left pane, select the appliance's icon. 

2 Right-click the icon and choose Properties to display the appliance's 
properties page. 
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VRUNEFIVE (Connected) Properties 



General I Status | Paths | Passwords | Date/Time | System License | 
Current license information. 



License Limit: 



Unlimited Users 



U sed U ser Licenses: U sed S erver Licenses: 



System Id: 



License Key: | e val-pvrc7d9re9d5 



OK 



Cancel 



Help 



Figure 7-5 Type a license key 

3 Select the License tab, see Figure 7-5. 

4 In the License Key field, enter a new VelociRaptor appliance license key or, if 
you have a 30 day non-licensed copy, enter a license key for the first time. 

5 Click OK. 

6 To save your new key, in the left pane, right-click in Symantec Raptor 
Management Console, and select All Tasks > Save and Reconfigure. 

7 To make the license change take effect, restart the VelociRaptor appliance. 

Perform a system shutdown from the Symantec 
Raptor Management Console 

From the Symantec Raptor Management Console All Tasks menu, you can 
remotely perform VelociRaptor appliance system shutdowns. 
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To shutdown from Symantec Raptor Management Console 

1 Right mouse click the appliance icon from within Symantec Raptor 

Management Console, in the All Tasks menu click System Shutdown, see 
Figure 7-6. 



| All Tasks ► 


Disconnect 
Editor 

Reconfigure 
Stop 


View ► 
New Window from Here 


New Taskpad View... 


System Shutdown 


Properties 


System Reboot 
Restore 
Backup 
Patch 
SRL Client 
Save All 
Change Log 
Import Users... 
Import VPN... 


Help 





Figure 7-6 System Shutdown menu 

2 You are asked to confirm this shutdown. 

A System Shutdown shuts down the VelociRaptor appliance software, the 
Linux OS, and all its applications. The appliance remains powered on, but no 
software is running. 

3 It is safe to turn the VelociRaptor appliance off when the LCD display reads 
"PLEASE SWITCH POWER OFF NOW". 

4 You must now power cycle the appliance to bring it back up. 

Perform a system reboot from the Symantec Raptor 
Management Console 

In the Symantec Raptor Management Console All Tasks menu, you can remotely 
perform system reboots. 

To reboot from Symantec Raptor Management Console 

1 Right-click on the appliance icon from within Symantec Raptor 
Management Console and in the All Tasks menu click System Reboot. 

2 Confirm this reboot by reconnecting to the appliance. 

A System Reboot restarts the VelociRaptor appliance software. The Linux OS 
and all its applications are brought down and then restarted. 
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Back up configuration files 

In the Symantec Raptor Management Console All Tasks menu, you can perform 
manual system backups of your configuration files. 

Configuration files are stored the VelociRaptor appliance. Back up files are stored 
on the Symantec Raptor Management Console machine. Backed up files are 
identified by hostname, date, and time, with an .rfwcfg extension. 

For example, VelociRaptor-2002-March-15-13-51-48.rfwcfg 
To do a manual configuration file backup 

1 In the left pane, right-click the appliance icon from within Symantec Raptor 
Management Console and in the All Tasks menu, select Backup. 
The Backup dialog box is displayed, see Figure 7-7. 



1 Backup 






m 


Please enter the local backup file name 




Local backup file name: 






Files\Symantec\Raptor Management Console\backup\ Browse... 


1 


W Set Recover password 






Recover password: | """""""""""""""""""" 
Verify: | ---—--->«< 
















OK | Cancel Help 











Figure 7-7 Backup property page 

2 From the Local backup file name field, click Browse to display the open 
Saved System Configuration dialog box. This opens to the default location 
for backup files: 

\Program Files\Symantec\Raptor Management Console\backup 

When you enter a filename and click Save, the file name is placed in the field. 
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You can also enter the path and a file name for the backup directory into the 
field. The file name must have the extension .rfwcfg. If the directory does not 
exist, you are asked if you want to create it. 

3 Optionally, you can check the Set Recover password check box and enter a 
password. This allows you to decrypt your keys files if you copy these backed 
up files to another VelociRaptor appliance with a different system name, see 
Restore configuration files on page 116. 



Note: If you do not enter a password, you cannot restore backed up 
configuration files to another VelociRaptor appliance. You can only restore 
them on the same machine. 



Restore configuration files 

From the Symantec Raptor Management Console All Tasks menu, you have the 
option of restoring backed up configuration files to your VelociRaptor appliance 
or to another VelociRaptor appliance. If you originally backed up these files using 
a password to restore and decrypt the keys files on a another machine, you must 
enter this same password on the new machine when you restore. 



Caution: This procedure assumes that the new machine has the same IP 
addresses and hostname as the original. Otherwise, you may have to edit 
configuration files by hand (using SRL) after restoring them to the new machine. 



To restore backup configuration files to your VelociRaptor appliance 

1 Right mouse click from within Symantec Raptor Management Console and 
in the All Tasks menu, select Restore from to display the Restore Property 
window, see Figure 7-8. 
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Recover password: | 
Verify: | 
















OK | Cancel Help 











Figure 7-8 Restore property page 

2 In the Local backup file name field, use the Browse button to locate the 
backed up *.rfwcfg file you created. 

3 If you typed a recovery password when you backed up the files on the 
original machine, click the Set Recover password check box and type the 
same password here to decrypt your secret keys on the second machine. 



Note: If you did not enter a password when you originally backed up these 
files, you can restore the configuration files to the same machine but you 
cannot successfully restore the files to another machine. 



4 Click OK. 

Apply patches to the VelociRaptor software 

Patches or hot fixes may be provided for your existing VelociRaptor software. 
The Patch option, available from the Symantec Raptor Management Console All 
Tasks menu, lets you "push" a patch from the Symantec Raptor Management 
Console machine to the VelociRaptor appliance. 
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To apply a patch 

1 Once you have downloaded the patch (.tgz file) from the Symantec Web site 
to your Symantec Raptor Management Console machine, you can select All 
Tasks > Patch from within Symantec Raptor Management Console. 



Open System Software Patch 




Look jn: Q Security <!= [t] £j ||- 


IjDatabasei 




0 vc-3des-l ,0-326-install 




File name: 


Open j 






Files of type: 1 System Patch (".tgz) H 


Cancel 





Figure 7-9 Open System Software Patch page 

2 The Symantec Raptor Management Console prompts you to browse to the 
patch on your local system. 

3 When you locate the patch, click Open. 

The patch unpacks and installs to the VelociRaptor appliance. 



Note: Once the patch or hot fix is applied, the VelociRaptor appliance 
automatically restarts and the Symantec Raptor Management Console 
disconnects from the appliance. 



Manage log files 

When a logfile exceeds a certain size (default 200MB), the system automatically 
starts another logfile by running the Changelog command. This prevents a single 
logfile from exhausting the available disk space. Through Symantec Raptor 
Management Console, you can perform a manual Changelog command on the 
VelociRaptor system to rollover the current logfile to the /oldlogs directory. For 
more detailed information on Changelog, see the Symantec Enterprise Firewall 
and Symantec Enterprise VPN Guide, provided as a PDF file. 
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To perform a manual ChangeLog command 

1 In the left pane, from within Symantec Raptor Management Console, click 
on the Select All Tasks > ChangeLog, see Figure 7-10. 
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Import Users... 
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Figure 7-10 ChangeLog menu 

2 The current logfile is placed in the /oldlogs directory and named according to 
the Symantec Raptor Management Console logfile dating convention. 
For example 2002315 (Mar. 15, 2002) . A new logfile is then started. 

Add Symantec Raptor Management Consoles 

The appliance can be managed by more than one Symantec Raptor Management 
Console, although not at the same time. Only one Symantec Raptor Management 
Console can be in read/write mode (managing mode) at a time, all others are in 
read only mode (view configuration and logs). To configure remote management 
by another Symantec Raptor Management Console, follow the instructions in 
Managing passwords on page 106. Be sure to type the IP address of the new 
Remote Host in the appropriate field. 

You can then connect to this appliance with an Symantec Raptor Management 
Console with that specified address. Type the appropriate hostname and 
password into the login window. 

Use secure remote login 

Secure Remote Login lets a user on a machine with Symantec Raptor 
Management Console to login to the VelociRaptor appliance and review system 
files, reboot the machine, or perform other troubleshooting or debugging tasks 
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that are outside of normal appliance operations. All remote traffic is encrypted. 
You must use the Symantec Raptor Management Console version of Tera Term 
Pro, and not the standalone version. 

To make an SRL connection from Symantec Raptor Management Console to 
the VelociRaptor system 

1 Select the appliance icon from Symantec Raptor Management Console, 
right-click and choose All Tasks > SRL Client to display the Tera Term Pro 
window logon dialog box, see Figure 7-11. 



■™ Tera Term - [connecting...] VT 



File Edit Setup Control Window Help 



SRL Passwords 



i- Passwords 

Management 

|- bl 

I OK | Cancel ' 



Figure 7-11 Tera Term Pro window 

2 In the Management field, enter your Symantec Raptor Management Console 
password. 

3 In the SRL field, enter your SRL password. 

You need this password to establish a secure connection. The VelociRaptor 
appliance displayed this password to you during the initial setup procedure. 
You can change the SRL password through Symantec Raptor Management 
Console as described in Managing passwords on page 106. 

4 Click OK. 



Once connected through SRL, you can securely perform any necessary 
administrative functions on the VelociRaptor appliance. 
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Front panel keypad locking 



Locking the VelociRaptor appliance provides additional security against 
personnel who should not have access privileges to the appliance. If the front 
panel is locked, only individuals with knowledge of the Root System Password 
can disable the lock in order to continue working with the front panel. 

To enable locking 

1 From the Symantec Raptor Management Console, select the VelociRaptor 
appliance icon and right-click. 

2 Click Properties to display the appliance's Properties page. 

3 Select the System tab. 

4 Beside Front Panel Keypad Locking, check the Enable radio button to lock 
the front keypad, see Figure 7-12. 



VRONEFIVE (Connected) Properties 



General | Status | Paths | Passwords! Date/Time System | License | 



The current system name, domain name and default gateway 
address. 



System Name: 



|VRONEFIVE 



Domain Na 
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Default Gateway Address: 



|169.254.0.254| 



UPS Support: 



(* Stop P Start 



Front Panel Keypad Locking: C Disable (* Enable 



OK 



Cancel 



Help 



Figure 7-12 Enabling keypad locking 

5 Click OK. 

6 Save and Reconfigure. 



122 



Management Console 
Front panel keypad locking 



Use a locked keypad 

To use a locked keypad 

1 When you press an arrow key on the appliance front panel with the keypad 
locked, the root password prompt displays. Type the root password that was 
provided during setup, see Step 9 on page 37. 

2 To enter your Password, use Up ( A ) and Down (v) arrow buttons on the 
appliance front panel to scroll through the alphabet characters. When your 
Password character appears in the brackets [ ], press the right arrow (>) 
button to make your selection and go on to select your next character using 
the same process. 

Passwords are limited to 8 lowercase alpha (a-z) characters only. 



Note: If you type an incorrect character, you can either press the Cancel 
button ('S') or you can go back using the left arrow (<) button. Your 
selections will be erased to the point at which you want to make your 
correction. 



3 Once you have correctly typed your Password, press the E button. You now 
have access to the locked keypad. 

Once Locking is enabled, the appliance automatically locks after five (5) 
minutes of keypad inactivity. 




Antivirus Scanning 



The possibility of a virus attack is a serious negative aspect of the Internet. Viruses 
can easily spread in the Internet environment and pose major threats to critical 
business operations and financial investment. Implementing antivirus protection 
at the firewall is a critical step in protecting your network against viruses and 
other related threats. The VelociRaptor appliance provides comprehensive virus 
protection when configured as a client of a Symantec Gateway Security appliance 
running the antivirus scan server. 

The VelociRaptor lets you configure antivirus scanning and email filtering by 
individual proxy. The FTP, HTTP, and SMTP proxies on the VelociRaptor 
appliance can be configured to pass files to a Symantec Gateway Security 
appliance, which in turn scans the files for viruses and mail policy violations. Files 
that have unrepairable infections or that violate the established mail policy are 
blocked, while clean files and infected files that can be repaired are allowed to 
pass through. 

The Proxy Services configuration for each individual proxy lets you select the IP 
address and port number of the Symantec Gateway Security appliance that will 
handle the antivirus scanning for that proxy. All antivirus scanning and email 
filtering is based on the specific antivirus configuration of the Symantec Gateway 
Security appliance serving the VelociRaptor. 

Configuring antivirus scanning proxy services 

The client component of the antivirus implementation is configured through the 
FTPD, HTTPD, and SMTPD Proxy Services configuration. In the configuration 
for each proxy service, you configure the way in which antivirus is implemented 
for that proxy. When you create specific rules for a given proxy and enable 
antivirus scanning for those rules, the antivirus settings you configure via the 
Proxy Services configuration apply to the antivirus scanning for that proxy. 
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The proxy configuration for each proxy lets you specify the following: 

■ The IP address and port number of the Symantec Gateway Security appliance 
that will provide scanning services 

■ The handling of files when the Symantec Gateway Security appliance is 
unavailable 

■ The handling of infected files; and the types of files (by extension) that will 
be submitted to the Symantec Gateway Security appliance for scanning 

The proxy establishes a TCP/IP connection to the Symantec Gateway Security 
appliance and passes the file to be scanned to the Symantec Gateway Security 
appliance. The Symantec Gateway Security appliance scans the file and handles it 
based on the configuration settings established for that proxy. 

Configuring antivirus scanning for the FTP, HTTP and SMTP proxies 

The Proxy Services configuration you set up for FTPD, HTTPD or SMTPD, 
respectively, determines how virus scanning is implemented for all rules for 
which FTP, HTTP or SMTP is enabled as a service and for which antivirus 
scanning is enabled. 

To configure the antivirus settings for FTP, HTTP or SMTP 

1 In the left pane, expand the Access Controls node. 

2 Click Proxy Services. 

3 In the right pane, double-click FTPD, SMTPD or HTTPD to display the 
corresponding Proxy Properties page. 
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4 Click the Antivirus Scanning tab. 

Use this tab to control the behavior of virus scanning. 



VRONEFIVE\Services\FTPD Properties 



_?jx| 



Status I Timeout | Port Restrictions Antivirus Scanning | 
LjJ| This setting controls the behavior of virus scanning. 



r 



Antivirus scan server IP address: 
Antivirus scan server port number: 
Block traffic if server is unavailable: W 
Scan Options: 
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Scan and Delete 
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Include list: 
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Help 



Figure 8-1 Services Properties - Antivirus Scanning Tab 

5 In the Antivirus scan server IP address field, type the physical IP address of 
the Symantec Gateway Security appliance that will be used to scan for 



In the Antivirus scan server port number field, type the port on which the 
Symantec Gateway Security appliance listens. 

This port number must match the port number of the Symantec Gateway 
Security appliance. This is specified in the Global_Antivirus_Configuration 
for the Symantec Gateway Security appliance. See Symantec Gateway 
Security appliance setup on page 131 for more information. 

To block messages if the Symantec Gateway Security appliance is not 
available for scanning, check the Block traffic if server is unavailable check 
box. 

If you select Block traffic if server is unavailable and the proxy is unable to 
contact the Symantec Gateway Security appliance for scanning, the files are 
blocked. The proxy does not forward the unscanned file to the intended 
destination, and an error message is logged indicating that the VelociRaptor 
could not connect to the Symantec Gateway Security appliance. 
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8 Use the Scan Options list to select how scanned files are handled: 

■ Scan and Log: When a virus is detected during scanning, a log entry is 
generated, (no repair is attempted), and the file or message is forwarded 
to the intended destination. 

■ Scan and Delete: When a virus is detected, the infected file is deleted (no 
repair is attempted), and a log entry is generated. 

■ Scan and Repair or Delete: When a virus is detected, the Symantec 
Gateway Security appliance attempts to repair the infected file. Infected 
files that cannot be repaired are deleted, and a log entry is generated for 
each deleted file. 

9 Use the Which file extensions to scan drop-down list to select the file types 
that will be sent for scanning. The Symantec Gateway Security appliance uses 
these lists to determine what to scan when there are container files: 

■ All files: All files regardless of extension are sent to the Symantec 
Gateway Security appliance for scanning. 

■ Only those in include list: Only files with the extensions listed in the 
include list are sent to the Symantec Gateway Security appliance. If you 
select this option, you can edit the include list to add or delete file 
extensions. The default include list contains those file types considered 
at risk of infection. 

■ All except those in exclude list: All files except those with the extensions 
listed in the exclude list are sent to the Symantec Gateway Security 
appliance. If you select this option, you can edit the exclude list to add or 
delete file extensions. The default list includes those file types not likely 
to be infected. 



Note: The default include and exclude lists contain the recommended file 
types to protect your network against viruses and other types of malicious 
code. To minimize potential exposure to infection, use care in editing 
extension lists. For maximum security, you can select to scan all file types 
regardless of extension, but be aware that performance may be impacted 
during periods of peak usage. 



10 If you have selected Only those in include list from the Which file extensions 
to scan list, optionally edit the Include list to add or remove file extensions. 
Add any additional file extensions you want to scan. Delete any extensions 
that you do not want to scan. 

■ Use a semicolon (;) to separate file extensions. 

■ Use a single period to indicate a file without an extension. 
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■ Use a question mark (?) as a wildcard. 

If you make changes to the list of included files and want to restore the 
default list of files, click Restore default list. 

11 If you have selected All except those in exclude list from the Which file 
extensions to scan list, optionally edit the exclude list to add or remove file 
extensions. Add any file extensions you do not want to scan. Delete any 
extensions that you want to scan. 

■ Use a semicolon (;) to separate file extensions. 

■ Use a single period to indicate a file without an extension. 

■ Use a question mark (?) as a wildcard. 

12 Click OK to save your configuration. 

Enabling antivirus scanning in a rule 

To enable antivirus scanning for the FTP, HTTP, or SMTP proxy in a rule, you 
must enable the appropriate proxy as a service and make sure that application 
data scanning is enabled in the rule. 

To create a rule with antivirus scanning enabled 

1 In the left pane, expand the Access Controls node. 

2 Right-click Rules. 

3 Select New > Rule to display the Rule Properties page. 
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VRONEFIVE\Rule\Rule #3 Properties (New) 



General Services Time Authentication 

Alert Thresholds Miscellaneous | Advanced Services 
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Help 



Figure 8-2 Rule Properties page 

4 Write the rule in accordance with the chapter on Rules in the Symantec 
Enterprise Firewall and Symantec Enterprise VPN Configuration Guide. 

5 Click the Miscellaneous tab. 

6 Make sure that the Application Data Scanning check box is checked. 

7 Click the Services tab. 

8 Continue with one of the following procedures for FTP, HTTP, or SMTP. 
To configure the FTP proxy for antivirus scanning 

1 Select ftp* from the Excluded Services list and use the » button to move it 
to the Included Services list. 
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2 Select ftp* in the Included Services list and click Configure to display the 
FTP Rule Properties page. 



3 
4 
5 
6 



Ftp Rule Properties 



General Antivirus | 



Please specify if this rule will include antivirus scanning of FTP 
traffic. Application Data Scanning has to be enabled for enabling 
this option. 

|~~ Enable -n'i in j \.\ inning 



1 



J 



Help 



Figure 8-3 FTP Rule Properties Page 
Click the Antivirus tab. 

Check the Enable Antivirus Scanning check box. 
Click OK. 

When you have finished writing the rule, click OK. 



To configure the HTTP proxy for antivirus scanning 

1 Select http* from the Excluded Services list and use the » button to move it 
to the Included Services list. 

2 Select http* in the Included Services list and click Configure to display the 
HTTP Rule Properties page. 

3 Click the Antivirus tab. 



130 



Antivirus Scanning 

Enabling antivirus scanning in a rule 



4 Check the Enable Antivirus Scanning check box. 



HTTP Rule Properties 



Protocols | Restrictions | Web Proxy Antivirus | 



Please specify if this rule will include antivirus scanning of HTTP 
traffic. Application Data Scanning has to be enabled for enabling 
this option. 
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Figure 8-4 HTTP Rule Properties Antivirus page 

5 Click OK. 

6 When you have finished writing the rule, click OK. 
To configure the SMTP proxy for antivirus scanning 

1 Select smtp* from the Excluded Services list and use the » button to move 
it to the Included Services list. 

2 Select smtp* in the Included Services list and click Configure to display the 
SMTP Rule Properties page. 
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3 Click the Antivirus tab. 



I SMTP Rule Properties | \~ 



Anti-Spam/Relay | Advanced | ESMTP Antivirus 



Please specify if this rule will include antivirus scanning of SMTP 
traffic. Application Data Scanning has to be enabled for enabling 
this option. 

V Enable Antivirus Scanning 



| OK | Cancel Help 

Figure 8-5 SMTP Rule Properties Antivirus Page 

4 Check the Enable Antivirus Scanning check box. 

5 Click OK. 

6 When you have finished writing the rule, click OK. 

Symantec Gateway Security appliance setup 

On the Symantec Gateway Security appliance, you must specify the Bind Address 
on which the local scan server listens for remote requests. The following 
procedure must be performed on the Symantec Gateway Security appliance 
serving the VelociRaptor. 

To setup a Symantec Gateway Security appliance to accept remote requests 
for scanning 

1 Using the Symantec Raptor Management Console, connect to the remote 
Symantec Gateway Security appliance. 
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2 Double click Global_Antivirus_Configuration in the right pane to display 
the Global_Antivirus_Configuration Properties page. 



SGSA\AV Config\Global_AntiViru5_Configuration P 



Please specify the configuration for the antivirus server. 



_?jx| 



Bind Address: ] T j 
Port Number: |EE 



OK Cancel Help 



Figure 8-6 AV Global Antivirus Configuration Properties Page - General Tab 

3 Use the Bind Address drop-down list to specify the interface on which the 
local antivirus scan server listens. 

To enable requests for scanning from a VelociRaptor you must select: 
<ALL - O.O.O.O, ethO or ethl 

■ If you select <ALL - 0.0.0.0>, the antivirus scan server accepts all 
requests that it receives (local and nonlocal). 

■ If you select ethO, the antivirus scan server accepts only scan requests 
from the ethO interface. By default, this is the inside interface. Select this 
only if your VelociRaptor is connected to the ethO interface. 

■ If you select ethl, the antivirus scan server accepts only scan requests 
from the ethl interface. By default, this is the outside interface. Select 
this only if your VelociRaptor is connected to the ethl interface. 

You must not select <LOCAL 127.0.0.1 > 

■ This address is known as the loopback interface. If you select this option, 
the Symantec Gateway Security appliance will not accept any scanning 
requests from the VelociRaptor appliance. 
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Note: On some Symantec Gateway Security appliances, the eth2 and eth3 
interfaces may also be available for use, depending on your configuration. 



4 Type the TCP/IP Port Number on which the Symantec Gateway Security 
appliance listens. 

This port number must be assigned to only listen for scanning requests from 
the VelociRaptor appliance. Once it is assigned, it can not be used for any 
other purpose. The default port number is 1344. If you use a port number 
other than the default, select a number greater than 1024 that is not in use by 
any other program or service. 

5 Click OK. 

Symantec Gateway Security antivirus configuration 

All antivirus scanning is based on the specific antivirus configuration of the 
Symantec Gateway Security appliance that serves the VelociRaptor. See the 
Antivirus chapter in the Symantec Gateway Security Installation and Configuration 
Guide for more information. 
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High Availability and Load 
Balancin 

The VelociRaptor appliance provides High Availability and Load Balancing (HA/ 
LB) features. Load balancing allows the members of a cluster to share the work. A 
special case, or feature, of load balancing is referred to as high availability, 
meaning that if one appliance fails, the remaining member or members of the 
cluster can take over and continue to share the load. 

HA/LB is an optional feature. You must purchase an HA/LB Crossgrade License 
for each appliance in a cluster. Check with your system administrator for license 
requirements. 

HA/LB Implementation 

The VelociRaptor appliance is a critical component of network security. A single 
appliance configuration (a network without HA/LB) may not be appropriate for 
all situations for the following reasons: 

■ Single point of failure 




■ Possible bottleneck 
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As a single point of failure, if the appliance is down, your external users no longer 
have access to internal resources, and your internal users are cut off from external 
networks. Although the network is still secure, it is off-line until the appliance is 
restored to service. 
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Router 
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Figure 9-1 Non HA/LB network 

One solution is to add additional appliances to your company network. Multiple 
appliances can be configured to act as if they were one gateway. This is referred to 
as a cluster. If one member of a cluster has a failure the others will continue to 
operate and pick up the load (network traffic) of the failed appliance without any 
interruption of service to the users of the network. 

The following example depicts a three appliance software HA/LB cluster. The first 
step in creating this cluster is to physically setup and configure the appliances on 
the network. Internal and external interfaces on each appliance must be 
configured properly, and the networks that each appliance talks to must also be 
configured. 

The second step is the setup of VIPs on the network. See Cluster members screen 
on page 139. 
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Three appliance cluster example 



In this example, each of the three VelociRaptor appliances uses all four of its 
network ports (located on the back panel of the appliance), as shown in Figure 9- 
2, to connect to the networks shown in Figure 9-3. 
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n 
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Service Network 
172.168.6.0/24 



Inside Port 
Dedicated 
(Heartbeat) 
Network 
192.168.30.0/24 



Figure 9-2 VelociRaptor appliance back panel 

Each of the three appliances is configured and connected to the network in the 
same way. Even if two of the appliances fail, the third appliance will pick up the 
load. The three internal networks will still be secure and online, although with 
diminished throughput capacity because one appliance is bearing the full 
network load. 



138 



High Availability and Load Balancing 
HA/LB Implementation 



Internet 



External Network 



SGS - A I 169.10. 10.2 

- — •:»;b| 



1*2 



Dedicated 
( Heartbeat } 
Network 

192163.30.0/24 



Service Network 

172.1 68 .6.0/24 



Internal Network 

192 168.1.0/24 



^~T . ' n- t^ J 

Router 
169.10.10.1 



c 



Hub 



SGS -B 



169.10.10.3 



SGS - C 169.10.10.4 



. •'.'IS 



g I 

k IS 



r 



U u 



-c : 



192.168.14 



Router 
192.168.10.1 



192168.10.0/24 



Server Server Server 

_J I I 



□ 



Figure 9-3 Three appliance cluster network diagram 

Figure 9-3 is a three appliance HA/LB network diagram that shows a typical 
VelociRaptor cluster implementation. Our clustered network consists of the 
following components: 

■ External network: The external network is the 169.10.10.0/24 network. This 
network connects to the Internet through our router (169.10.10.1). 
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■ Dedicated network: The dedicated network is the 192.168.30.0/24. It is used 
as the heartbeat or control network. Each appliance in the cluster uses the 
heartbeat network to exchange state information about the cluster. 

■ Service network: Our service network is the 172.168.6.0/24 network. A 
service network could have Web, SMTP, and FTP servers. This network could 
contain many machines and subnets. 

■ Internal network: Our internal network is the 192.168.1.0/24 network. This 
network could contain many machines and subnets. 



Note: A heartbeat network does not have to be a dedicated network 
dedicated to only heartbeat communications as shown in this example. 
Heartbeat communications can run on any internal network with other 
traffic and subnets. 



To create this cluster, use the Create Cluster Wizard and follow the steps in 
Creating a cluster for software high availability/load balancing on page 147. 
When you get to the Cluster members screen you would add cluster members 
using their IP Addresses as shown in Figure 9-4. 



Create Cluster Wizard 



Cluster members 

Use the buttons to Add or Delete cluster members. 

Use the checkboxes to enable or disable the propagation of configuration 

files to cluster members. 
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Figure 9-4 



Cluster members screen 
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Setting Up VI Ps 

Setting up VIPs for this cluster is the next step. Each machine in the cluster shares 
the same VIP address for a given subnet, and is viewed as a potential candidate to 
receive packets. If one appliance fails, another appliance handles any new 
requests, providing continued connectivity to your network. Figure 9-5 shows 
our example with VIPs. 

Because the VIP is assigned to a subnet, all of the machines in the cluster on the 
subnet are viewed as a single IP address. With load balancing configured, this 
allows the cluster to spread the connections more evenly over several different 
appliances, instead of always sending requests to one appliance. 



Note: The VIP should be assigned using an IP address higher than any of the 
nodes supporting that VIP. 
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Figure 9-5 



HA/LB cluster with VIPs 



The next step is to modify the routing tables on each of the each of the machines 
and servers on each of the networks. All machines and servers must now point to 
the VIPs instead of the real IP addresses for HA/LB to work properly. If the 
machines and servers continued to point to the real IP addresses of the 
appliances, and one of the appliances failed, all of the machines and servers 
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pointing to that security gateway would be cut off from the network. Table 9-1 
shows the VIP settings for our cluster network. 

Table 9-1 VIP addresses 



Network Address 


VIP Address 


Network Type 


169.10.10.0/24 


169.10.10.250 


Outside - Internet 


192.168.30.0/24 


192.168.30.250 


Dedicated - Heartbeat 


172.168.6.0/24 


172.168.6.250 


Service 


192.168.1.0/24 


192.168.1.250 


Internal 



The next step is to set the default gateway of our dedicated (heartbeat) network 
machines to VIP 192.168.30.250. Then set the default gateway of our internal 
network machines (everything on the 192.168.1.0/24 network) to VIP 
(192.168.1.250). Then change the default gateway of the interface on the servers 
residing on our service network to point to VIP (172.168.6.250). Each of these are 
different networks and therefore need to have a different VIP configured for each 
one. 

DNS resolvers must be configured to point to the individual IP addresses of the 
appliances, not the VIP addresses. 

Finally, configure a static route on the 169.10.10.1 router (outside network - 
Internet) that says that all traffic destined for the 169.10.10.0/24 network should 
go through the VIP 169.10.10.250. 

To configure VIPS, use the Create Cluster Wizard and follow the steps in 
Creating a cluster for software high availability/load balancing on page 147. 
When you get to the Define primary subnet and virtual IP addresses screen, you 
would assign a subnet to be the heartbeat network and assign VIP addresses to 
cluster members as shown in Figure 9-6. 
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Create Cluster Wizard 



Define primary subnet and virtual IP addresses. 

Choose the subnet to be used as the heartbeat or control network. 

Click the Edit button to specify the virtual IP addresses (VIPs) for the members of the cluster. 



Subnet: 1 192.1 68.30.0 



Cluster member information: 



Subnet 


| Virtual IP address 


IB 192.168.30.0 




H 172.168.6.0 




H 192.163.1.0 




H 169.10.10.0 





Edit Clear All VIPs 



< Back 



Next > 



Cancel 



Figure 9-6 Define primary subnet and virtual IP address screen 

Use the VIP addresses as reference points to previous definitions that would 
otherwise use a physical address. Doing this removes any single point of failure. 
In our example, three appliances are virtually known by one VIP address and 
seem to be one appliance. They still have different physical addresses, but 
everybody addresses each appliance by its virtual IP address. Multiple machines 
in the cluster can have the same virtual IP address, so if one fails, another can take 
its place and no additional routing needs to take place. 

The one Symantec Raptor Management Console exception to addressing the 
VelociRaptor appliances by their VIP address is connecting to appliances and 
managing them. You cannot use the VIP address in the Symantec Raptor 
Management Console because you cannot be guaranteed of connecting to the 
specific appliance you desire. Any appliance on your network could be the active 
one at any given time. Therefore, all Symantec Raptor Management Console 
connections must be directed to the real IP address of the security gateway you 
wish to manage. 
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HA/LB terms 

Incident node 

Only one machine has control of the VIP at any given time. This machine is 
referred to as the incident node. The incident node receives ownership of the VIP, 
and all communication requests directed to the VIP are handled by the incident 
node. 

When a communication request comes in to the incident node, the incident node 
is responsible for: 

■ serving the request 

■ passing on the initial request to another node in the cluster 

■ passing on the request to the node that is currently serving the connection 

If a failure occurs on the incident node, another node in the cluster becomes the 
incident node, claims ownership of the VIP, and assumes responsibility for all 
new connection requests entering the cluster. 

Heartbeat network 

A heartbeat network is an internal network that acts as the heartbeat or control 
network. The heartbeat network is used by each appliance in the cluster to 
exchange state information about the cluster. The heartbeat network does not 
have to be dedicated to heartbeat communications only, however this a preferred 
configuration. 

Sticky node 

A sticky node is a node in the cluster that can be designated as a sticky node. If a 
node is marked as sticky, and requests are currently being sent to it, requests will 
continue to be sent to this node until this node is no longer available (due to a 
failure). If one node gives up the sticky bit, it will jump to the next node picked to 
be the incident node, and remain there until that node is no longer available, even 
if the first node comes back up. 
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Preferred node 

A preferred node is a node in the cluster that can also be designated as a preferred 
node. A preferred node can be thought of as a persistent sticky node. By 
specifying that a node is preferred, communication requests will always be sent to 
this machine when it is available. If this machine is unavailable, another machine 
on the cluster will become the incident node, but will not be marked as the 
preferred node. If the first machine comes back up, communication requests will 
revert back to the first machine until it is no longer available. 

Symmetric routing 

Symmetric routing assures that any return packets for a connection go back out 
through the same security gateway. 

Asymmetric routing 

Asymmetric routing is the default mode for the appliance until the Cluster 
Wizard is run for the first time. Asymmetric routing allows a return packet for a 
connection to go back out through any security gateway in the cluster. 
Asymmetric routing provides for better network performance, especially if the 
incident node is busy. State information must be maintained between all of the 
nodes in the cluster for asymmetric routing to work properly. 

About the cluster wizard 

The VelociRaptor appliance provides a Cluster wizard to group appliances into a 
cluster for three purposes: 

■ Integrated Software HA/LB - To configure software high availability and load 
balancing on appliances with HA/LB enabled using built-in clustering 
functionality. 

■ Hardware HA/LB - To configure hardware high availability and load 
balancing on appliances with HA/LB enabled that are connected to a 
Radware FireProof device. Radware's FireProof is an intelligent traffic 
management device for multiple firewalls and Virtual Private Network 
(VPN) devices. See www.radware.com for more information. 

Other third-party hardware HA/LB devices can be used, but are not 
supported by Symantec. An option is provided to configure third party 
hardware HA/LB devices. 

■ Other replication - To enable the propagation of configuration files from one 
appliance to other appliances. VelociRaptor appliance configuration 
information is stored in the var/lib/sg directory. When you select an 



146 



High Availability and Load Balancing 
Preparing to create a cluster 



appliance in your cluster and click on Propagate, all files from that 
appliance's sg directory are copied to the sg directories of enabled members 
of the cluster. This allows all members of the cluster to appear as one 
appliance, with the same users, network entities, rules, and all other 
properties. 

After you have created a cluster, you can manage it by right- clicking the cluster 
name and choosing one of the following options from the All Tasks menu. 

■ Verify Cluster - Identifies cluster members that may not have the same 
configuration and allows you to update the configuration based on a selected 
cluster member. 

■ Modify Cluster - Allows you to add members to a cluster after it is created, to 
delete members, to change the cluster's control network, and to change 
virtual IP addresses. 

You can also use the Modify Cluster wizard to enable or disable members of 
a cluster when you are preparing to propagate configuration changes from 
one member of a cluster to the rest of the cluster. 

■ Delete Cluster - Allows you to delete the cluster configuration information 
from all the members of the cluster. This does not delete any appliances. It 
removes the configuration information that associates them with a cluster. 



Preparing to create a cluster 

Every VelociRaptor appliance to be added to a cluster must meet the following 
prerequisites: 

■ All members must have the same number of configured interfaces. 

■ All members must run the same operating system version. 

■ The network configuration of all cluster members must match; every cluster 
member must have IP addresses on the same subnets as the other cluster 
members. 

■ Each appliance must have a different system name. 

■ HA/LB must be enabled on all appliances 

In addition, the IP address specified to connect to the VelociRaptor appliance 
must lie on the same subnet as the IP addresses specified to connect to the other 
members. 



Before you create a cluster 

■ Define the IP addresses of all the appliances you want to add to the cluster. 
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Define the remote management passwords of all the appliances you want to 
add to the cluster, using the Symantec Raptor Management Console. 



Creating a cluster for software high availability/load balancing 

The following procedure describes how to create a cluster for software HA/LB. 

An HA/LB cluster can also be used to propagate appliance configuration files 
from one cluster member to all other enabled members of the cluster. See 
Creating a cluster for appliance file propagation or hardware HA/LB on page 154. 

Before you create the cluster, make sure that the IP addresses and passwords of all 
the appliances you want to add to the cluster have been defined on all the 
appliances that will be added to the cluster. 

To create a software HA/LB cluster 

1 Click the Symantec Raptor Management Console icon to display the Getting 
Connected taskpad in the right pane. 

If the Taskpad is not displayed, pull down the View menu and choose 
Taskpad. 

2 Click the New Cluster icon to display the Create Cluster Wizard. 



Create Cluster Wizard 




Welcome to the Cluster Create Wizard. 



This wizard will: 

• Define members of a cluster. 

• Define the heartbeat subnet and virtual IP addresses 
assigned to the cluster. 

• Enable or disable the members of the cluster. During 
propagation of configuation files other than the cluster 
configuration files, the disabled members will be 
ignored. 

To continue with creation of the cluster, click Next. 



< Back 


i Nest > | 







Figure 9-7 Create Cluster wizard Introduction screen 
3 Click Next to display the Create a new cluster screen. 
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Create Cluster Wizard I 



Create a new cluster 

Specify a name and description for the cluster. 
Select the type of the cluster . 



Name : 



Description: 



VR CLUSTER1 




■ Specify the type of the cluster 



(* Integrated Software HA/LB 
f Hardware HA/LB. 
H Other replication. 



Figure 9-8 Create a new cluster wizard screen 

4 Type a name and description for the cluster. 

5 Click the Integrated Software HA/LB radio button. 

6 Click Next to display the Cluster members screen. 





( Back 


Next > 


Cancel | 
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Create Cluster Wizard 



Cluster members 

Use the buttons to Add or Delete cluster members. 

Use the cheekbones to enable or disable the propagation of configuration 

files to cluster members. 



Cluster members: 




Add 



Delete 



< Back 



Next > 



Cancel 



Figure 9-9 Cluster members screen 

7 To add the first member to the cluster, click Add to display the Connect to 
cluster member dialog box. 



Symantec Raptor Management Console 



Connect to cluster member 

IP Address: 



I 



Password: 

Management Port: p18 

W Obtain read/write access upon connecting 



J 



Figure 9-10 Connect to cluster member dialog box 

8 Type the IP address of the appliance that will be the first cluster member, and 
the password and port number that are used to connect to it. 
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Note: The Obtain read/write access check box is grayed out and cannot be 
edited. It indicates that when the Cluster Wizard attempts to connect you to 
the specified appliance, you must be able to obtain read/write access to add 
the appliance to the cluster. 



9 Click OK and the Cluster wizard will attempt to connect to the appliance. 

■ If this is the first time this appliance is being added to a cluster, the 
Cluster members screen is redisplayed, showing the IP address of the 
appliance and verifying that you are connected. 

■ If the appliance is already a member of a cluster, a message asks if you 
want to read the existing cluster information for the appliance. 

If you click Yes, the name and description of the cluster to which the 
appliance belongs replaces the name and description you provided in 
step 4, since the appliance can only belong to one cluster. The Cluster 
members screen is displayed, showing the members of the appliance's 
cluster. 

10 To add a new member to the cluster, click Add to display the Connect to 
cluster member dialog box. 

You can also delete an existing member from the cluster by selecting the IP 
address and clicking Delete. 

1 1 Type the IP address, password, and management port number of another 
appliance and click OK. 

The new member's IP address is added to the Cluster members screen and 
your connection is verified. 

12 Repeat steps 10 and 1 1 for each cluster member to be added. 

13 When all the cluster members have been added, click Next to display the 
Define primary subnet and virtual IP address screen. 
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Create Cluster Wizard 



Define primary subnet and virtual IP addresses. 

Choose the subnet to be used as the heartbeat or control network. 

Click the Edit button to specify the virtual IP addresses fVTPs] for the members of the cluster. 



Subnet: 1 192.1 68.30.0 



Cluster member information: 



Subnet 


| Virtual IP address 


H 192.168.30.0 




H 172.168.6.0 




U 192.168.1.0 




H 169.10.10.0 





Edit Clear All VI Ps 




Figure 9-11 Define primary subnet and virtual IP addresses page 

14 Use the Subnet list to choose a subnet to be used as the controlling network. 
The inside network is selected by default. 

15 Select a Subnet from the Cluster member information list and click Edit to 
display the VIP Addresses dialog box. 



152 



High Availability and Load Balancing 
Preparing to create a cluster 



Virtual IP addresses assigned to a subnet 



Subnet : 



| 1 69.10.10. D 
Virtual IP addresses: 



J 



Figure 9-12 VIP Addresses dialog box 
16 Click Add to display the Add a Virtual IP Address dialog box. 



Add a Virtual IP Addiess 



Add virtual IP address for subnet 169.1 0.10.0 



Virtual IP Address: 

r This VIP is sticky 
Preferred machine: 



OK 



Cancel 



Figure 9-13 Add a Virtual IP Address dialog box 

This dialog box allows you to provide a Virtual IP address (VIP) for the 
cluster member. This IP address is used to represent the identity of the cluster 
to outside machines and routers. 



Note: You must assign at least one VIP address to each subnet of the cluster. 
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17 The VIP address can be assigned in three different ways, depending on your 
cluster requirements. 

■ Type a Virtual IP Address for the cluster member without doing 
anything else in this dialog box. 

This creates a normal VIP that is free to participate in load balancing. It 
does not have any type of "stickiness" associated with it. 

■ Type a VIP address for the cluster member and check the This VIP is 
sticky check box. 

This creates a sticky VIP that will stay on the node it is assigned to as 
long as that node is healthy. If the node goes down, the VIP is 
transferred to another node in the cluster. When the original node 
comes back up, the VIP stays with the node that it transferred to. 

■ Type a VIP address for the cluster member, check the This VIP is sticky 
check box, and choose the IP address of a preferred appliance for the 
VIP to be associated with. 

This creates a sticky VIP that has a preference for the IP address you 
select. It will stay with the node it is assigned to as long as that node is 
healthy. If the node goes down, the VIP is transferred to another node in 
the cluster. When the node the VIP was originally assigned to is back up, 
the VIP returns to it. 



Note: With symmetric routing turned on, sticky VIPs do not effect the node 
that actually owns the connections, simply where the traffic is first seen. You 
can implement your own symmetric routing by having sticky VIPs bound to 
particular machines and then distribute them in a load balanced way. Then 
turn asymmetric routing on and the incident node is the owner node for the 
traffic. See "HA/LB terms" on page 144 for more information. 



18 Click OK to process the Add a Virtual IP Address dialog box, then click OK 
again to close the VIP Addresses dialog box. 

The VIPs you have assigned are shown in the Cluster member information 
list. 

19 Repeat Step 15 on page 151 through Step 18 on page 153 for each subnet, 
then click Next to display the final screen of the Cluster Wizard. 
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Create Cluster Wizard 




Completing the Wizard 

The New Cluster Wizard will now attempt to write the 
cluster information to all members. 

In order for these changes to take effect, you must 
reboot all the nodes to which changes were made. 

Would you like to reboot now? 

* fr'es. reboot now.: 
C No, I will reboot later. 

To exit the wizard, click Finish. 



< Back 



Finish 



Cancel 



Figure 9-14 Completing the Wizard page 

20 Decide whether to reboot the cluster members now or later. 

If you choose Yes, reboot now, all appliances in the cluster will be rebooted. 

2 1 Click Finish to complete the wizard. 

You are returned to the Symantec Raptor Management Console. The newly 
created cluster appears as an icon in the left pane. By expanding it, you can 
see all the members of the cluster. 

You may want to delete the previous individual appliances that are now 
members of the cluster. 

The members of the cluster will start to work as an integrated software HA/ 
LB cluster after rebooting. 



Creating a cluster for appliance file propagation or hardware HA/LB 

Clusters can be used to propagate configuration information such as rules, users, 
and entity definitions from one appliance to other appliances. The following 
procedure does not involve any HA/LB configuration. 

Before you run the Cluster Wizard, make sure that the IP addresses and 
passwords of all the appliances you want to add to the cluster have been defined 
on all the VelociRaptor appliances that will be added to the cluster. 



High Availability and Load Balancing 
Preparing to create a cluster 



155 



To create a cluster of appliances for propagation of configuration files or 
hardware HA/LB 

1 Click the Symantec Raptor Management Console icon to display the Getting 
Connected taskpad. 

2 Click the New Cluster icon to display the Cluster Create Wizard. 

3 Click Next to display the Create a new cluster screen as shown in Figure 9-8. 

4 Type a name and description for the cluster. 

5 Click one of the following radio buttons: 

■ To create a hardware HA/LB cluster, click Hardware HA/LB. 

■ To create a cluster for propagation of configuration files only, click 
Other replication. 

6 Click Next to display the Cluster members screen as shown in Figure 9-9. 

7 To add the first member to the cluster, click Add to display the Connect to 
cluster member dialog box, as shown in Figure 9-10. 

8 Type the IP address, password and management port number of the first 
cluster member. 



Note: The Obtain read/write access upon connecting check box is grayed 
out and can not be edited. When the Cluster Wizard attempts to connect you 
to an appliance, you must have read/write access to add the appliance to the 
cluster. 



9 Click OK. 

The Cluster wizard attempts to connect to the appliance. 

■ If this is the first time this appliance is being added to a cluster, the 
Cluster members screen is re-displayed, showing the IP address of the 
appliance and verifying that you are connected. 

■ If the appliance is already a member of a cluster, a message asks if you 
want to read the existing information for the appliance. 

■ If you click Yes, the name and description of the cluster to which the 
appliance belongs replaces the name and description you provided in 
Step 4 on page 155, since the appliance can only belong to one cluster. 
The Cluster members screen is displayed, showing the members of the 
appliance's cluster. 

10 To add a new member to the cluster, click Add to display the Connect to 
cluster member dialog box. 
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You can also delete an existing member from the cluster by selecting the IP 
address and clicking Delete. 

1 1 Type the IP address, password, and management port of another appliance 
and click OK. 

The new member's IP address is added to the Cluster members screen and 
your connection is verified. 

12 Repeat Step 10 on page 155 and Step 11 on page 156 for each cluster 
member to be added. 

13 When all the cluster members have been added, click Next to display the final 
screen of the Cluster Wizard. 

14 Click Finish to complete the wizard. 

You are returned to the Symantec Raptor Management Console. The newly 
created cluster appears as an icon in the left pane. By expanding it, you can 
see the members of the cluster. 

If you created a Hardware HA/LB cluster the cluster is ready to be connected a 
Radware FireProof device. Radware's FireProof is an intelligent traffic 
management device for multiple firewalls and Virtual Private Network (VPN) 
devices. See www.radware.com for more information. 

Verifying a cluster 

Verifying a cluster allows you to be sure that the cluster configuration 
information is identical on all cluster members. For example, if a machine was 
down when you last made changes, it may not have the latest cluster 
configuration information. 

If your cluster members do not have identical cluster information, the Verify 
Cluster wizard allows you to choose a cluster member so that its configuration 
can be copied to all other members. 

To verify a cluster 

1 Connect to a member of the cluster you want to verily. 

2 In the left pane, right-click on the cluster name. 

3 Choose All Tasks > Verify Cluster to display the Verify Cluster Wizard. 

4 Click Next. 

5 If there are cluster members that are not connected, the Connect to cluster 
members screen is displayed. Type the password for the system whose IP 
address is displayed and click Next. 
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6 



7 



Repeat Step 5 on page 156 until all members are connected, at which point 
one of the following screens is displayed: 

■ If the Completing the Wizard screen displays, saying that the 
configuration is in a consistent state, the verification process has been 
completed successfully. Click Finish to close the Verify Cluster Wizard. 

■ If the Cluster configuration not in sync screen is displayed, continue at 
Step 7 on page 159. 

Choose a cluster member from the list and click Next. 

If the member you chose is valid, the Verify cluster screen is displayed, 

showing the cluster information of the member. 

a Click Next. The Cluster configuration chosen screen is displayed. This 
screen is read only. 

b Click Next to display the Completing the Wizard screen. 

C Click Finish to write the configuration of the selected cluster member to 

all other members. 
If the member you chose is not valid, a message box tells you that the 
member's information is incorrect and cannot be restored. 

d Click OK to clear the message and return to the Cluster configuration 
not in sync screen. The invalid cluster is marked. 

e Choose another cluster member from which the cluster information will 
be copied, and click Next. 

f Repeat until the Cluster configuration chosen screen is displayed. This 
screen is read only. 

g Click Next to display the Completing the Wizard screen. 

h Click Finish to write the configuration of the selected cluster member to 
all other members. 



re are two reasons to modify a cluster: 

To make changes to the cluster configuration information and copy those 
changes to all members of the cluster. 

To enable or disable a cluster member prior to using the Propagate option. 
Propagate copies the appliance configuration files from a selected appliance's 
sg directory to all enabled members of that appliance's cluster. 
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To access the Modify Cluster Wizard, you must be connected to at least one 
cluster member. 

To modify a cluster 

1 In the left pane, right-click the cluster name. 

2 Choose All Tasks >Modify Cluster to display the Modify Cluster Wizard. 

3 Click Next to display the Modifying a cluster screen. 

You can change the cluster name and description. By default, the 
Automatically connect to all disconnected cluster members check box is 
checked. The modifications you make will only be copied to members that 
are connected. Uncheck this check box if you do not want to connect to all 
cluster members. 



Note: Symantec recommends that you connect to all cluster members when 
modifying a cluster so that the modifications you make are distributed to all 
members. 



4 Click Next. 

■ If the option to automatically connect was checked, the wizard connects 
to all cluster members, and then displays the Cluster members screen. 

■ If the option to automatically connect was not checked on the previous 
screen, the Connect to cluster members screen is displayed. 

■ If you want to connect the cluster member whose IP address is shown, 
type the password and, if necessary, change the management port, then 
click Next to connect. Repeat for all cluster members to which you want 
to connect. 

■ If you do not want to connect to a member, select the Ignore this 
member check box and click Next. 



Note: Modified cluster information is not copied to members which are 
ignored. 



After you have been given the chance to connect to all cluster members, the 
wizard displays the Cluster members screen. 

5 On the Cluster members screen, you can: 

■ Click Add to add a new cluster member. 

■ Click Delete to delete a member of the cluster. 
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■ Uncheck the check box to the left of a cluster member's icon to disable 
the cluster member. This causes the cluster member to be ignored when 
appliance configuration files are propagated. 

■ If a cluster member has been disabled, select the check box to enable the 
cluster member to participate in the propagation of appliance 
configuration files. 

6 When you have completed all changes to the cluster member screen, click 
Next. 

■ If the cluster is not an HA/LB cluster, the final screen of the wizard is 
displayed. Go to Step 13. 

■ If the cluster is an HA/LB cluster, the Define primary subnet and virtual 
IP addresses screen is displayed. Complete steps 7 through 12. 

7 To change the subnet that is selected to act as the heartbeat network, click 
Clear All VIPs, then use the Subnet drop down list to select a different 
subnet. You must then create virtual IP addresses (VIPs) for all subnets. 

8 To change or create a VIP, select a subnet in the Cluster member information 
list and click Edit to display the VIP Addresses dialog box. 

9 The VIP Addresses dialog box provides the following options: 

■ Select an existing VIP and click Edit to edit it or Delete to delete it. 

■ To add a new VIP, click Add. 

Clicking Add or Edit displays the Add a Virtual IP Address dialog box. 

10 Complete the Add a Virtual IP Address dialog box as follows: 



Note: Symantec recommends that the VIP address is higher than the 
physical IP address of the nodes in the cluster. 



■ Type a Virtual IP Address for the cluster member without doing 
anything else in this dialog box. 

This creates a normal VIP that is free to participate in load balancing. It 
does not have any sort of stickiness associated with it. 

■ Type a Virtual IP Address for the cluster member and check the This 
VIP is sticky check box. 

This creates a sticky VIP that will stay on its current node as long as that 
node is healthy. If the node goes down, the VIP is transferred to another 
node in the cluster. When the original node comes back up, the VIP 
stays with the node that it transferred to. 
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■ Type a Virtual IP Address for the cluster member, check the This VIP is 
sticky check box, and choose an IP address (preferred machine) for the 
VIP association. 

This creates a sticky VIP that has a preference for the IP address you 
select. It will stay with the node it is assigned to as long as that node is 
healthy. If the node goes down, the VIP is transferred to another node in 
the cluster. When the original node is back up, the VIP returns to it. 



Note: With symmetric routing turned on, sticky VIPs do not effect the node 
that actually owns the connections, simply where the traffic is first seen. You 
can implement your own symmetric routing by having sticky VIPs bound to 
particular machines and then distribute them in a load balanced way. Then, 
turn asymmetric routing on and the incident node is the owner node for the 
traffic. 



1 1 Click OK to process the Add a Virtual IP Address dialog box, then click OK 
again to close the VIP Addresses dialog box. 

12 When all VIP addresses have been modified, click Next to display the final 
wizard screen. 

If the cluster you are modifying is a software HA/LB cluster, you will be 
prompted to reboot so that the modifications you have made can be 
registered. 

13 On the Completing the Wizard screen, click Finish to write the modified 
cluster configuration to all files in the cluster. 

Deleting a cluster 

To access the Delete Cluster Wizard, you must be connected to at least one cluster 
member. 



Note: The process of deleting a cluster does not delete any appliances. It simply 
removes the configuration information that associates them into a cluster. 



To delete a cluster 

1 In the left pane, right-click the cluster name. 

2 Choose All Tasks>Delete Cluster to display the Delete Cluster Wizard. 

3 Click Next to display the Deleting a cluster screen. 
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By default, the Automatically connect to all disconnected cluster members 

check box is checked. The cluster can only be deleted if all members are 
connected so that the cluster information can be deleted from them. 

4 Click Next. 

■ If the option to automatically connect was checked, the wizard connects 
to all cluster members, and then displays the Completing the Wizard 
screen. 

■ If the option to automatically connect was not checked on the previous 
screen, the Connect to cluster members screen is displayed to allow you 
to connect. 

5 Type the password and, if necessary, change the management port for the 
cluster member whose IP address is shown. 

6 Click Next to connect. 

When all members of the cluster are connected, the Completing the Wizard 
screen is displayed. 

7 Click Finish to delete the cluster configuration from all members. 

Viewing Cluster Properties 



Note: Although you can view the properties of a cluster, the details you see are 
read only. If you want to make changes, you must do so by using the Modify 
Cluster wizard. For more information, see Modifying a cluster on page 157. 



To view the properties of a cluster 

1 Expand the cluster's folder in the left pane. 

2 Connect to a member of the cluster. 

You must be connected because the cluster configuration information is 
stored on the cluster members. 

3 Right-click on the cluster's icon and choose Properties. The cluster's 
Properties pages are displayed. 

The General tab shows the name and description of the cluster, and tells you 
what type of cluster it is. 

The Member field gives the IP address of the connected member. 

4 Click the Members tab. 

This tab lists the members of the cluster and indicates whether they are 
enabled for propagation. 



162 



High Availability and Load Balancing 
Preparing to create a cluster 



5 If the cluster is an Integrated Software HA/LB cluster, click the VIPS tab to 
view information about the Virtual IP (VIP) addresses in use by the cluster. 

■ The virtual IP addresses list shows the cluster subnets and the VIP 
addresses that are assigned to them. 

■ To see details about a specific subnet, double click the subnet to display 
the VIP addresses dialog box. 

■ To see details about a specific VIP address, double click the address. 

■ Click OK to close each additional dialog box you display. 

6 Click OK to close the cluster's Properties page. 

Propagating appliance configuration files 

When you secure your network using multiple appliances, it is important to have 
consistency between appliance configurations. You want to be sure that entities 
are defined in the same way on all systems, and that the same authorization rules 
and authentication procedures are in place. 

Propagation allows you to configure one appliance and copy the configuration 
information to other appliances that are grouped in a cluster. 

Among the files that are copied to the other appliances is the host file from the 
source machine. The source host file overwrites the target host files, rather than 
merging with them. 

Do the following before running Propagate, so that DNS entries are not 
overwritten 

1 On the appliance from which you will propagate, use the DNS Records 
Properties page to create an entry in the Hosts file for each of the other 
appliances in the cluster. 

2 Create entities for the all configured interfaces of all the nodes in the cluster. 
To propagate appliance configuration files 

1 Associate the appliances protecting your network into a cluster. See Creating 
a cluster for appliance file propagation or hardware HA/LB on page 154. 

2 Make your changes to a selected appliance system in the cluster. 

3 Decide whether to propagate appliance configuration files to all members of 
the cluster, or to disable some cluster members so that their configuration 
files remain unchanged. See also Modifying a cluster on page 157. 



Note: Symantec recommends that you propagate to all cluster members. 
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4 In the left pane, click on the icon of the appliance where changes have been 
made. 

5 Right-click and choose All Tasks >Propagate, or display the Action menu and 
choose All Tasks>Propagate. 

6 A message box asks if you are sure you want to propagate. Click Yes. 
The Result of configuration propagation status box is displayed. 

For each appliance in the cluster, the appliance service is temporarily stopped 
so that the configuration files can be copied to the appliances. 
The status box displays the following messages as the backup file from the 
source appliance is restored: 

Processing Wait... 
Updating SRMC view Wait- 
Restarting Services Wait... 
Propagation Done 



7 When the configuration has been propagated to all enabled members of the 
cluster, click OK to close the status box. 
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Important safeguards 



Safeguard Instructions 

For your protection, please read all these instructions regarding your 
VelociRaptor 1.5 appliance. 

■ Read Instructions 

Read and understand all the safety and operating instructions before 
operating the appliance. 

■ Ventilation 

The VelociRaptor 1.5 appliance's vents (on the front) and the fan opening(s) 
on the back panel are provided for ventilation and reliable operation of the 
product and to protect it from overheating. These openings must not be 
blocked or covered. This product should not be placed in a built-in 
installation unless proper ventilation is provided. 

■ Lithium Battery 

The lithium battery on the system board provides power for the real-time 
clock and CMOS RAM. The battery has an estimated useful life expectancy 
of 5 to 10 years. 

■ Power Cord 



Caution: The power-supply cord is used as the main disconnect device. 
Ensure that the socket outlet is located or installed near the equipment and is 
easily accessible. 



Caution: Francais: Le cordon d'alimentation sert d'interrupteur general. La 
prise de courant doit etre situee or installee a proximite du material et offrir 
un acces facile. 
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Caution: Deutsch: Zur sicheren Trennung des Cerates vom Netz ist der 
Netzstecker zu Ziehen. Vergewissern Sie sich, dafi die Steckdose leicht 
zuganglich ist. 



Warning: To reduce the risk of electrical shock, do not disassemble this 
product. Return it to Symantec when service or repair work is required. 
Opening or removing covers may expose you to dangerous voltage or other 
risks. Incorrect reassembly can cause electric shock when this product is 
subsequently used. 



Note: Opening the cover will void your warranty! 

■ Operating the unit in an equipment rack 

If you plan to install the VelociRaptor 1.5 appliance in an equipment rack, 
use these precautions: 

■ Ensure the ambient temperature around the appliance (which may be 
higher than the room temperature) is within the limits specified in 
Appliance models and specifications on page 9. 

■ Ensure there is sufficient air flow around the unit. 

■ Ensure electrical circuits are not overloaded; consider the nameplate 
ratings of all the connected equipment and ensure you have overcurrent 
protection. 

■ Ensure the equipment is properly grounded, particularly any equipment 
connected to a power strip. 

■ Do not place any objects on top of the appliance. 




Licenses 



The LINUX operating system used in VelociRaptor 1.5 appliance is covered by 
the GNU General Public License. The firewall software is covered by the 
Symantec license included with the license serial number. 

To view licensed and enabled features 

1 Select the icon of the connected appliance in the left pane. 

2 Expand the Base Components folder. 

3 Click the System Features icon. 

The licensed features and their status (Enable or Disable) is displayed in the 
right pane. If you want to change the status of a feature double click on the 
feature to display the feature's properties page. 

GNU GENERAL PUBLIC LICENSE 

Version 2, June 1991 

Copyright (C) 1989, 1991 Free Software Foundation, Inc. 
59 Temple Place - Suite 330, Boston, MA 021 1 1-1307, USA 

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND 
MODIFICATION 

1 This License applies to any program or other work which contains a notice 
placed by the copyright holder saying it may be distributed under the terms 
of this General Public License. The "Program," below, refers to any such 
program or work, and a "work based on the Program" means either the 
Program or any derivative work under copyright law: that is to say, a work 
containing the Program or a portion of it, either verbatim or with 
modifications and/or translated into another language. (Hereinafter, 
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translation is included without limitation in the term "modification.") Each 
licensee is addressed as "you." 

Activities other than copying, distribution and modification are not covered 
by this License; they are outside its scope. The act of running the Program is 
not restricted, and the output from the Program is covered only if its 
contents constitute a work based on the Program (independent of having 
been made by running the Program). Whether that is true depends on what 
the Program does. 

2 You may copy and distribute verbatim copies of the Program's source code as 
you receive it, in any medium, provided that you conspicuously and 
appropriately publish on each copy an appropriate copyright notice and 
disclaimer of warranty; keep intact all the notices that refer to this License 
and to the absence of any warranty; and give any other recipients of the 
Program a copy of this License along with the Program. 

You may charge a fee for the physical act of transferring a copy, and you may 
at your option offer warranty protection in exchange for a fee. 

3 You may modify your copy or copies of the Program or any portion of it, thus 
forming a work based on the Program, and copy and distribute such 
modifications or work under the terms of Section 1 above, provided that you 
also meet all of these conditions: 

You must cause the modified files to carry prominent notices stating that you 
changed the files and the date of any change. 

You must cause any work that you distribute or publish, that in whole or in 
part contains or is derived from the Program or any part thereof, to be 
licensed as a whole at no charge to all third parties under the terms of this 
License. 

If the modified program normally reads commands interactively when run, 
you must cause it, when started running for such interactive use in the most 
ordinary way, to print or display an announcement including an appropriate 
copyright notice and a notice that there is no warranty (or else, saying that 
you provide a warranty) and that users may redistribute the program under 
these conditions, and telling the user how to view a copy of this License. 
(Exception: if the Program itself is interactive but does not normally print 
such an announcement, your work based on the Program is not required to 
print an announcement.) 

These requirements apply to the modified work as a whole. If identifiable 
sections of that work are not derived from the Program, and can be 
reasonably considered independent and separate works in themselves, then 
this License, and its terms, do not apply to those sections when you distribute 
them as separate works. But when you distribute the same sections as part of 
a whole which is a work based on the Program, the distribution of the whole 
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must be on the terms of this License, whose permissions for other licensees 
extend to the entire whole, and thus to each and every part regardless of who 
wrote it. 

Thus, it is not the intent of this section to claim rights or contest your rights 
to work written entirely by you; rather, the intent is to exercise the right to 
control the distribution of derivative or collective works based on the 
Program. 

In addition, mere aggregation of another work not based on the Program 
with the Program (or with a work based on the Program) on a volume of a 
storage or distribution medium does not bring the other work under the 
scope of this License. 

4 You may copy and distribute the Program (or a work based on it, under 
Section 2) in object code or executable form under the terms of Sections 1 
and 2 above, provided that you also do one of the following: 
Accompany it with the complete corresponding machine-readable source 
code, which must be distributed under the terms of Sections 1 and 2 above 
on a medium customarily used for software interchange; or, 
Accompany it with a written offer, valid for at least three years, to give any 
third party, for a charge no more than your cost of physically performing 
source distribution, a complete machine-readable copy of the corresponding 
source code, to be distributed under the terms of Sections 1 and 2 above on a 
medium customarily used for software interchange; or, 
Accompany it with the information you received as to the offer to distribute 
corresponding source code. (This alternative is allowed only for 
noncommercial distribution and only if you received the program in object 
code or executable form with such an offer, in accord with Subsection b 
above.) 

The source code for a work means the preferred form of the work for making 
modifications to it. For an executable work, complete source code means all 
the source code for all modules it contains, plus any associated interface 
definition files, plus the scripts used to control compilation and installation 
of the executable. However, as a special exception, the source code 
distributed need not include anything that is normally distributed (in either 
source or binary form) with the major components (compiler, kernel, and so 
on) of the operating system on which the executable runs, unless that 
component itself accompanies the executable. 

If distribution of executable or object code is made by offering access to copy 
from a designated place, then offering equivalent access to copy the source 
code from the same place counts as distribution of the source code, even 
though third parties are not compelled to copy the source along with the 
object code. 
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5 You may not copy, modify, sublicense or distribute the Program except as 
expressly provided under this License. Any attempt otherwise to copy, 
modify, sublicense or distribute the Program is void, and will automatically 
terminate your rights under this License. However, parties who have received 
copies, or rights, from you under this License will not have their licenses 
terminated, so long as such parties remain in full compliance. 

6 You are not required to accept this License, since you have not signed it. 
However, nothing else grants you permission to modify or distribute the 
Program or its derivative works. These actions are prohibited by law if you do 
not accept this License. Therefore, by modifying or distributing the Program 
(or any work based on the Program), you indicate your acceptance of this 
License to do so, and all its terms and conditions for copying, distributing or 
modifying the Program or works based on it. 

7 Each time you redistribute the Program (or any work based on the Program), 
the recipient automatically receives a license from the original licensor to 
copy, distribute or modify the Program subject to these terms and 
conditions. You may not impose any further restrictions on the recipients' 
exercise of the rights granted herein. You are not responsible for enforcing 
compliance by third parties to this License. 

8 If, as a consequence of a court judgment or allegation of patent infringement 
or for any other reason (not limited to patent issues), conditions are imposed 
on you (whether by court order, agreement or otherwise) that contradict the 
conditions of this License, they do not excuse you from the conditions of this 
License. If you cannot distribute so as to satisfy simultaneously your 
obligations under this License and any other pertinent obligations, then as a 
consequence you may not distribute the Program at all. For example, if a 
patent license would not permit royalty- free redistribution of the Program by 
all those who receive copies directly or indirectly through you, then the only 
way you could satisfy both it and this License would be to refrain entirely 
from distribution of the Program. 

If any portion of this section is held invalid or unenforceable under any 
particular circumstance, the balance of the section is intended to apply and 
the section as a whole is intended to apply in other circumstances. 
It is not the purpose of this section to induce you to infringe any patents or 
other property right claims or to contest validity of any such claims; this 
section has the sole purpose of protecting the integrity of the free software 
distribution system, which is implemented by public license practices. Many 
people have made generous contributions to the wide range of software 
distributed through that system in reliance on consistent application of that 
system; it is up to the author/ donor to decide if he or she is willing to 
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distribute software through any other system and a licensee cannot impose 
that choice. 

This section is intended to make thoroughly clear what is believed to be a 
consequence of the rest of this License. 

9 If the distribution and/or use of the Program is restricted in certain countries 
either by patents or by copyrighted interfaces, the original copyright holder 
who places the Program under this License may add an explicit geographical 
distribution limitation excluding those countries, so that distribution is 
permitted only in or among countries not thus excluded. In such case, this 
License incorporates the limitation as if written in the body of this License. 

10 The Free Software Foundation may publish revised and/or new versions of 
the General Public License from time to time. Such new versions will be 
similar in spirit to the present version, but may differ in detail to address new 
problems or concerns. 

Each version is given a distinguishing version number. If the Program 
specifies a version number of this License which applies to it and "any later 
version", you have the option of following the terms and conditions either of 
that version or of any later version published by the Free Software 
Foundation. If the Program does not specify a version number of this 
License, you may choose any version ever published by the Free Software 
Foundation. 

11 If you wish to incorporate parts of the Program into other free programs 
whose distribution conditions are different, write to the author to ask for 
permission. For software which is copyrighted by the Free Software 
Foundation, write to the Free Software Foundation; we sometimes make 
exceptions for this. Our decision will be guided by the two goals of preserving 
the free status of all derivatives of our free software and of promoting the 
sharing and reuse of software generally. 



NO WARRANTY 

1 BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS 
NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED 
BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN 
WRITING, THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY 
KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT 
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY 
AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO 
THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH 
YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME 



172 



Licenses 

SYMANTEC APPLIANCE LICENSE AND WARRANTY AGREEMENT 



THE COST OF ALL NECESSARY SERVICING, REPAIR OR 
CORRECTION. 

2 IN NO EVENT, UNLESS REQUIRED BY APPLICABLE LAW OR AGREED 
TO IN WRITING, WILL ANY COPYRIGHT HOLDER, OR ANY OTHER 
PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM 
AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR 
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR 
INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR 
LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF 
THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN 
IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. 

SYMANTEC APPLIANCE LICENSE AND WARRANTY 
AGREEMENT 

SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES ("SYMANTEC") IS 
WILLING TO LICENSE THE SOFTWARE INCLUDED WITH THE 
APPLIANCE YOU HAVE PURCHASED TO YOU AS AN INDIVIDUAL, THE 
COMPANY, OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE 
SOFTWARE (REFERENCED BELOW AS "YOU OR YOUR") AND TO 
PROVIDE WARRANTIES ON THE APPLIANCE ONLY ON THE CONDITION 
THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AND 
WARRANTY AGREEMENT. READ THE TERMS AND CONDITIONS OF 
THIS LICENSE AND WARRANTY AGREEMENT CAREFULLY BEFORE 
USING THE APPLIANCE. THIS IS A LEGAL AND ENFORCEABLE 
CONTRACT BETWEEN YOU AND SYMANTEC. BY OPENING THIS 
PACKAGE, BREAKING THE SEAL, CLICKING ON THE "AGREE" OR "YES" 
BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY, 
REQUESTING A LICENSE KEY OR USING THE SOFTWARE AND THE 
APPLIANCE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS 
AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND 
CONDITIONS, CLICK ON THE "I DO NOT AGREE" OR "NO" BUTTON IF 
APPLICABLE AND DO NOT USE THE SOFTWARE AND THE APPLIANCE. 

1. Software License: 

Except for the software, if any, described in the Excluded Software section at the 
end of this agreement (the ("Excluded Software"), the software (the "Software") 
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which accompanies the appliance you have purchased (the "Appliance") is the 
property of Symantec or its licensors and is protected by copyright law. While 
Symantec continues to own the Software, you will have certain rights to use the 
Software after your acceptance of this license. This license governs any releases, 
revisions, or enhancements to the Software that the Licensor may furnish to you 
as well as the copy of the Software provided to you on a CD-ROM or other media 
in connection with the Appliance (the "Restore Software"). Except as may be 
modified by a Symantec license certificate, license coupon, or license key (each a 
"License Module") which accompanies, precedes, or follows this license, your 
rights and obligations with respect to the use of this Software are as follows: 

You may: 

A use the Software solely as part of the Appliance for no more than the number 
of users as have been licensed to you by Symantec under a License Module; 

B use the Restore Software solely to restore the Appliance to its original factory 
functionality in the event the Software preloaded on the Appliance is 
corrupted or becomes unusable; 

C make copies of the printed documentation which accompanies the Appliance 
as necessary to support your authorized use of the Appliance; and 

D after written notice to Symantec, in connection with a transfer of the 

Appliance, transfer the Software on a permanent basis to another person or 
entity, provided that you retain no copies of the Software, Symantec consents 
to the transfer and the transferee agrees in writing to the terms of this 
agreement. 

You may not: 

A sublicense, rent or lease any portion of the Software; reverse engineer, 

decompile, disassemble, modify, translate, make any attempt to discover the 
source code of the Software, or create derivative works from the Software; 

B use the Restore Software for any purpose other than to restore the Appliance 
to the original factory functionality; 

C use, if you received the Software distributed on an Appliance containing 
multiple Symantec products, any Symantec software on the Appliance for 
which you have not received a permission in a License Module; or 

D use the Software in any manner not authorized by this license. 

2. Content Updates: 

Certain Symantec software products utilize content that is updated from time to 
time (antivirus products utilize updated virus definitions; content filtering 
products utilize updated URL lists; firewall products utilize updated firewall 
rules; vulnerability assessment products utilize updated vulnerability data, etc.; 
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collectively, these are referred to as "Content Updates"). You may obtain Content 
Updates for any period for which you have purchased a subscription for Content 
Updates for the product or otherwise separately acquired the right to obtain 
Content Updates. This license does not otherwise permit you to obtain and use 
Content Updates. 

3. Limited Warranty: 

Symantec warrants that the media on which the Restore Software is distributed 
will be free from defects for a period of thirty (30) days from the date of purchase 
of the Appliance. Your sole remedy in the event of a breach of this warranty will 
be that Symantec will, at its option, replace any defective media returned to 
Symantec within the warranty period or refund the money you paid for the 
Restore Software. 

Symantec warrants that the Software will perform on the Appliance in substantial 
compliance with the written documentation accompanying the Appliance for a 
period of thirty (30) days from the date of purchase of the Appliance. Your sole 
remedy in the event of a breach of this warranty will be that Symantec will, at its 
option, repair or replace any defective Software returned to Symantec within the 
warranty period or refund the money you paid for the Appliance. 

Symantec warrants that the hardware component of the Appliance (the 
"Hardware") shall be free from defects in material and workmanship under 
normal use and service and substantially conform to the written documentation 
accompanying the Appliance for a period of three hundred sixty-five (365) days 
from the date of purchase of the Appliance. Your sole remedy in the event of a 
breach of this warranty will be that Symantec will, at its option, repair or replace 
any defective Hardware returned to Symantec within the warranty period or 
refund the money you paid for the Appliance. 

The warranties contained in this agreement will not apply to any Software or 
Hardware which: 

A has been altered, supplemented, upgraded or modified in any way; or 
B has been repaired except by Symantec or its designee. 

Additionally, the warranties contained in this agreement do not apply to repair or 
replacement caused or necessitated by: (i) events occurring after risk of loss 
passes to You such as loss or damage during shipment; (ii) acts of God including 
without limitation natural acts such as fire, flood, wind earthquake, lightning or 
similar disaster; (iii) improper use, environment, installation or electrical supply, 
improper maintenance, or any other misuse, abuse or mishandling; (iv) 
governmental actions or inactions; (v) strikes or work stoppages; (vi) Your failure 
to follow applicable use or operations instructions or manuals; or (vii) such other 
events outside Symantec's reasonable control. 
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Upon discovery of any failure of the Hardware, or component thereof, to 
conform to the applicable warranty during the applicable warranty period, You 
are required to contact us within ten (10) days after such failure and seek a return 
material authorization ("RMA") number. Symantec will promptly issue the 
requested RMA as long as we determine that you meet the conditions for 
warranty service. The allegedly defective Appliance, or component thereof, shall 
be returned to Symantec, securely and properly packaged, freight and insurance 
prepaid, with the RMA number prominently displayed on the exterior of the 
shipment packaging and with the Appliance. Symantec will have no obligation to 
accept any Appliance which is returned without an RMA number. 

Upon completion of repair or if Symantec decides, in accordance with the 
warranty, to replace a defective Appliance, Symantec will return such repaired or 
replacement Appliance to You, freight and insurance prepaid. In the event that 
Symantec, in its sole discretion, determines that it is unable to replace or repair 
the Hardware, Symantec will refund to You the F.O.B. price paid by You for the 
defective Appliance. Defective Appliances returned to Symantec will become the 
property of Symantec. 

Symantec does not warrant that the Appliance will meet your requirements or 
that operation of the Appliance will be uninterrupted or that the Appliance will 
be error-free. 

THE ABOVE WARRANTIES ARE EXCLUSIVE AND IN LIEU OF ALL OTHER 
WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE 
IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 
PARTICULAR PURPOSE AND NONINFRINGEMENT OF INTELLECTUAL 
PROPERTY RIGHTS. THIS WARRANTY GIVES YOU SPECIFIC LEGAL 
RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE 
TO STATE. 

4. Disclaimer of Damages: 

SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF 
THE EUROPEAN ECONOMIC AREA, DO NOT ALLOW THE LIMITATION 
OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL 
DAMAGES SO THE BELOW LIMITATION OR EXCLUSION MAY NOT 
APPLY TO YOU. 

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND 
REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF 
ITS ESSENTIAL PURPOSE, IN NO EVENT WILL SYMANTEC OR ITS 
LICENSORS BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, 
INDIRECT OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR 
LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE 
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SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. 

IN NO CASE SHALL SYMANTEC'S OR ITS LICENSORS' LIABILITY EXCEED 
THE PURCHASE PRICE FOR THE APPLIANCE. The disclaimers and 
limitations set forth above will apply regardless of whether you accept the 
Software or the Appliance. 

5. U.S. Government Restricted Rights: 

RESTRICTED RIGHTS LEGEND. All Symantec products and documentation 
are commercial in nature. The software and software documentation are 
"Commercial Items", as that term is defined in 48 C.F.R. section 2.101, consisting 
of "Commercial Computer Software" and "Commercial Computer Software 
Documentation", as such terms are defined in 48 C.F.R. section 252.227- 
7014(a)(5) and 48 C.F.R. section 252.227-7014(a)(l), and used in 48 C.F.R. 
section 12.212 and 48 C.F.R. section 227.7202, as applicable. Consistent with 48 
C.F.R. section 12.212, 48 C.F.R. section 252.227-7015, 48 C.F.R. section 227.7202 
through 227.7202-4, 48 C.F.R. section 52.227-14, and other relevant sections of 
the Code of Federal Regulations, as applicable, Symantec's computer software 
and computer software documentation are licensed to United States Government 
end users with only those rights as granted to all other end users, according to the 
terms and conditions contained in this license agreement. Manufacturer is 
Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014. 

6. Export Regulation: 

You agree to comply strictly with all applicable export control laws, including the 
US Export Administration Act and its associated regulations and acknowledge 
Your responsibility to obtain licenses as required to export, re-export or import 
the Appliance. Export or re-export of the Appliance to Cuba, North Korea, Iran, 
Iraq, Libya, Syria or Sudan is prohibited. 

7. General: 

If You are located in North America or Latin America, this Agreement will be 
governed by the laws of the State of California, United States of America. 
Otherwise, this Agreement will be governed by the laws of England. This 
Agreement and any related License Module is the entire agreement between You 
and Symantec relating to the Appliance and: (i) supersedes all prior or 
contemporaneous oral or written communications, proposals and 
representations with respect to its subject matter; and (ii) prevails over any 
conflicting or additional terms of any quote, order, acknowledgment or similar 
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communications between the parties. This Agreement may only be modified by a 
License Module or by a written document which has been signed by both You 
and Symantec. This Agreement shall terminate upon Your breach of any term 
contained herein and You shall cease use of and destroy all copies of the Software 
and shall return the Appliance to Symantec. The disclaimers of warranties and 
damages and limitations on liability shall survive termination. Should you have 
any questions concerning this Agreement, or if you desire to contact Symantec 
for any reason, please write: (i) Symantec Customer Service, 175 W. Broadway, 
Eugene, OR 97401, USA, or (ii) Symantec Customer Service Center, PO BOX 
5689, Dublin 15, Ireland. 

8. Excluded Software: 

The Excluded Software consists of the open source code software known as Linux 
included with the Appliance. All Excluded Software is licensed under the GNU 
General Public License, Version 2, June 1991, a copy of which is included with the 
user documentation for the Appliance. The license entitles You to receive a copy 
of the source code for Linux only upon request at a nominal charge. If you are 
interested in obtaining a copy of such source code, please contact Symantec 
Customer Service at one of the above addresses for further information. 
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Serial Port Cable 

Serial 9-Pin Cable Specifications 

Use a cable the meets the following specifications to connect to the serial port of 
your appliance. 

Table C- 1 Serial 9-Pin Cable Connections 



DB-9 


Direction 


Description 


1 


< 


DCD (Data Carrier Detect) 


2 


< 


RX (Receive Data) 


3 


> 


TX (Transmit Data) 


4 


> 


DTR (Data Terminal Ready) 


5 




GND (Signal Ground) 


6 


< 


DSR (Data Set Ready) 


7 


> 


RTS (Request To Send) 


8 


< 


CTS (Clear to Send) 


9 


< 


RI (Ring Indicator) 
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Troubleshooting 



Up-to-date troubleshooting information for the VelociRaptor 1.5 (and all 
Symantec products) is available on the Symantec website, www.symantec.com. 

To access VelociRaptor troubleshooting information 

1 Go to www.symantec.com 

2 Click the service & support button on the top of the welcome screen. 

3 Click the I am an enterprise user button in the middle of the service & 
support screen. 

4 Select Symantec VelociRaptor from the Select a product pull down list. 

5 Select version 1.5 form the Select a version pull-down list. 

6 Click the continue button. 

7 Click the Knowledge Base link next to the solve a technical issue section in 
the middle of the Support Solutions page. 

You can search or browse the VelociRaptor knowledge base for 
troubleshooting information using the directions provided on the 
Knowledge Base page. 
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